1. Introduction
This section is non-normative.
The Protected Audience API facilitates selecting an advertisement to display to a user based on a previous interaction with the advertiser or advertising network.
When a user’s interactions with an advertiser indicate an interest in something, the advertiser can
ask the browser to record this interest on-device by calling navigator.joinAdInterestGroup(). Later, when a website wants to select an
advertisement to show to the user, the website can call navigator.runAdAuction() to ask the browser to conduct an auction where each of these on-device recorded interests are given the chance to
calculate a bid to display their advertisement.
2. Joining Interest Groups
This first introductory paragraph is non-normative.
When a user’s interactions with a website indicate that the user may have a particular interest, an
advertiser or someone working on behalf of the advertiser (e.g. a demand side platform, DSP) can ask
the user’s browser to record this interest on-device by calling navigator.joinAdInterestGroup(). This indicates an intent to display an
advertisement relevant to this interest to this user in the future. The user agent has an interest group set, a list of interest groups in which owner / name pairs are unique.
2.1. joinAdInterestGroup()
[SecureContext ]partial interface Navigator {Promise <undefined >joinAdInterestGroup (AuctionAdInterestGroup ); };group dictionary {AuctionAd required USVString ;renderURL any ;metadata USVString ;buyerReportingId USVString ;buyerAndSellerReportingId sequence <USVString >; };allowedReportingOrigins dictionary {GenerateBidInterestGroup required USVString ;owner required USVString ;name required double ;lifetimeMs boolean =enableBiddingSignalsPrioritization false ;record <DOMString ,double >;priorityVector record <USVString ,sequence <DOMString >>;sellerCapabilities DOMString = "compatibility";executionMode USVString ;biddingLogicURL USVString ;biddingWasmHelperURL USVString ;updateURL USVString ;trustedBiddingSignalsURL sequence <USVString >;trustedBiddingSignalsKeys DOMString = "none";trustedBiddingSignalsSlotSizeMode long ;maxTrustedBiddingSignalsURLLength any ;userBiddingSignals sequence <AuctionAd >;ads sequence <AuctionAd >; };adComponents dictionary :AuctionAdInterestGroup GenerateBidInterestGroup {double = 0.0;priority record <DOMString ,double >;prioritySignalsOverrides DOMString ; };additionalBidKey
AuctionAdInterestGroup is used by navigator.joinAdInterestGroup(), and
when an interest group is stored to interest group set. priority and prioritySignalsOverrides are not passed to generateBid() because they can be
modified by generatedBid() calls, so could theoretically be used to create a cross-site profile of
a user accessible to generateBid() methods, otherwise.
The joinAdInterestGroup(group) method steps are:
Temporarily, Chromium does not include the required keyword
for lifetimeMs, and instead starts this algorithm with the step
-
If group["
lifetimeMs"] does not exist, throw aTypeError.
This is detectable because it can change the set of fields that are read from the argument when a TypeError is eventually thrown, but it will never change whether the call succeeds or fails.
-
Let global be this's relevant global object.
-
If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "
NotAllowedError"DOMException. -
Let frameOrigin be this's relevant settings object's origin.
-
Assert that frameOrigin is not an opaque origin and its scheme is "
https". -
Let interestGroup be a new interest group.
-
Validate the given group and set interestGroup’s fields accordingly.
-
Set interestGroup’s expiry to the current wall time plus group["
lifetimeMs"] milliseconds. -
Set interestGroup’s next update after to the current wall time plus 24 hours.
-
Set interestGroup’s owner to the result of parsing an https origin on group["
owner"]. -
If interestGroup’s owner is failure, then throw a
TypeError. -
Optionally, throw a "
NotAllowedError"DOMException.Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the owner's site not being enrolled.
-
Set interestGroup’s enable bidding signals prioritization to group["
enableBiddingSignalsPrioritization"]. -
If group["
priorityVector"] exists, then set interestGroup’s priority vector to group["priorityVector"]. -
If group["
prioritySignalsOverrides"] exists, then set interestGroup’s priority signals overrides to group["prioritySignalsOverrides"]. -
If group["
sellerCapabilities"] exists, for each sellerString → capabilities of group["sellerCapabilities"]:-
Let sellerCapabilities be a new set of seller capabilities.
-
For each capabilityString of capabilities:
-
If sellerString is "
*", then set interestGroup’s all sellers capabilities to sellerCapabilities. -
Otherwise:
-
If interestGroup’s seller capabilities is null, then set interestGroup’s seller capabilities to a new ordered map whose keys are origins and whose values are sets of seller capabilities.
-
Let sellerUrl be the result of running the URL parser on sellerString.
-
If sellerUrl is not failure:
-
Let seller be sellerUrl’s origin.
-
If interestGroup’s seller capabilities does not contain seller, then set interestGroup’s seller capabilities[seller] to sellerCapabilities.
-
-
-
-
If group["
executionMode"] is "compatibility", "frozen-context", or "group-by-origin", then set interestGroup’s execution mode to it. -
For each groupMember and interestGroupField in the following table
Group member Interest group field " biddingLogicURL"bidding url " biddingWasmHelperURL"bidding wasm helper url " updateURL"update url " trustedBiddingSignalsURL"trusted bidding signals url -
If group contains groupMember:
-
Let parsedUrl be the result of running the URL parser on group[groupMember].
-
Throw a
TypeErrorif any of the following conditions hold:-
parsedUrl is failure;
-
parsedUrl is not same origin with interestGroup’s owner;
-
parsedUrl includes credentials;
-
parsedUrl fragment is not null.
-
-
Set interestGroup’s interestGroupField to parsedUrl.
-
-
-
If interestGroup’s trusted bidding signals url's query is not null, then throw a
TypeError. -
If group["
trustedBiddingSignalsKeys"] exists, then set interestGroup’s trusted bidding signals keys to group["trustedBiddingSignalsKeys"]. -
If group["
maxTrustedBiddingSignalsURLLength"] exists:-
If group["
maxTrustedBiddingSignalsURLLength"] ≥ 0, set interestGroup’s max trusted bidding signals url length to group["maxTrustedBiddingSignalsURLLength"], otherwise throw aTypeError.
-
-
If group["
userBiddingSignals"] exists:-
Set interestGroup’s user bidding signals to the result of serializing a JavaScript value to a JSON string, given group["
userBiddingSignals"]. This can throw aTypeError.
-
-
If group["
trustedBiddingSignalsSlotSizeMode"] is one of "none", "slot-size", or "all-slots-requested-sizes", set interestGroup’s trusted bidding signals slot size mode to group["trustedBiddingSignalsSlotSizeMode"]. -
For each groupMember and interestGroupField in the following table
Group member Interest group field " ads"ads " adComponents"ad components -
If group contains groupMember, for each ad of group[groupMember]:
-
Let igAd be a new interest group ad.
-
Let renderURL be the result of running the URL parser on ad["
renderURL"]. -
Throw a
TypeErrorif any of the following conditions hold:-
renderURL is failure;
-
renderURL scheme is not "
https"; -
renderURL includes credentials.
-
-
Set igAd’s render url to renderURL.
-
If ad["
metadata"] exists, then let igAd’s metadata be the result of serializing a JavaScript value to a JSON string, given ad["metadata"]. This can throw aTypeError. -
If groupMember is "
ads":-
If ad["
buyerReportingId"] exists, then set igAd’s buyer reporting ID to it. -
If ad["
buyerAndSellerReportingId"] exists, then set igAd’s buyer and seller reporting ID to it. -
If ad["
allowedReportingOrigins"] exists:-
For each originStr in ad["
allowedReportingOrigins"]: -
Set igAd’s allowed reporting origins to allowedReportingOrigins.
-
-
Append igAd to interestGroup’s interestGroupField.
-
-
-
If group["
additionalBidKey"] exists:-
Let decodedKey be the result of running forgiving-base64 decode with group["
additionalBidKey"]. -
Set interestGroup’s additional bid key to decodedKey.
-
-
-
If interestGroup’s estimated size > 1048576, then throw a
TypeError. -
Let p be a new promise.
-
Let queue be the result of starting a new parallel queue.
-
Enqueue the following steps to queue:
-
Let permission be the result of checking interest group permissions with interestGroup’s owner, frameOrigin, and "
join". -
If permission is false, then queue a global task on DOM manipulation task source, given global, to reject p with a "
NotAllowedError"DOMExceptionand abort these steps. -
Queue a global task on DOM manipulation task source, given global, to resolve p with
undefined. -
If the browser is currently storing an interest group with
ownerandnamethat matches interestGroup, then set the bid counts, join counts, and previous wins of interestGroup to the values of the currently stored one and remove the currently stored one from the browser. -
Set interestGroup’s joining origin to this's relevant settings object's top-level origin.
-
Set interestGroup’s join time to the current wall time.
-
If the most recent entry in interestGroup’s join counts corresponds to the current day in UTC, increment its count. If not, insert a new tuple the time set to the current UTC day and a count of 1.
-
Store interestGroup in the user agent's interest group set.
-
-
Return p.
2.2. Interest Group Storage Maintenance
There is a job that periodically performs storage maintenance on the user agent's interest group set. It performs operations such as removing expired or excess interest groups. An interest group set must respect the following limits. Implementations may define their own values for the below constants, however we supply the below values as a starting point, inspired by what the initial implementation of this specification uses:
-
Interest group set max owners is 1000, which defines the max number of owners in the user agent's interest group set.
-
Max regular interest groups per owner is 2000, which defines the max number of regular interest groups in the user agent's interest group set for an owner.
-
Max negative interest groups per owner is 20000, which defines the max number of negative interest groups in the user agent's interest group set for an owner.
-
Max interest groups total size per owner is
10*1024*1024, which defines the max total sizes of interest groups in the user agent's interest group set for an owner. It includs both regular interest groups and negative interest groups.
-
Let ownersAndExpiry be a new ordered map whose keys are origins and values are moments.
Note: The key is from owner, and value is from expiry. It’s used to determine a set of owners whose interest groups will be removed from the user agent's interest group set because the number of distinct owners exceeds the Interest group set max owners limit. It’s sorted based on their values (expiry) in descending order, in order to remove interest groups of owners expiring soonest first.
-
Let now be the current wall time.
-
For each ig of the user agent's interest group set:
-
Let owner be ig’s owner.
-
If ig’s expiry is before now, then remove ig from the user agent's interest group set and continue.
-
If ownersAndExpiry[owner] exists, then set ownersAndExpiry[owner] to ig’s expiry if it comes after ownersAndExpiry[owner].
-
-
If ownersAndExpiry’s size > interest group set max owners, then set ownersAndExpiry to ownersAndExpiry sorted in descending order with a being less than b if a’s value comes before b’s value, where values are expiry.
-
Let owners be the keys of ownersAndExpiry.
-
For each i in the range from 0 to owners’s size, exclusive:
-
If i ≥ interest group set max owners, then remove interest groups from the user agent's interest group set whose owner is owners[i], and continue.
-
Let regularIgs be a list of regular interest groups in the user agent's interest group set whose owner is owners[i].
-
If regularIgs’s size > max regular interest groups per owner, then clear excess interest groups with regularIgs and max regular interest groups per owner.
-
Let negativeIgs be a list of negative interest groups in the user agent's interest group set whose owner is owners[i].
-
If negativeIgs’s size > max negative interest groups per owner, then clear excess interest groups with negativeIgs and max negative interest groups per owner.
-
-
For each owner of owners:
-
Let igs be a list of interest groups in the user agent's interest group set whose owner is owner, sorted in descending order with a being less than b if aexpiry comes before bexpiry.
-
Let cumulativeSize be 0.
-
For each ig of igs:
-
If the sum of cumulativeSize and ig’s estimated size > max interest groups total size per owner, then remove ig from the user agent's interest group set.
-
Otherwise, increment cumulativeSize by ig’s estimated size.
-
-
-
Let sortedIgs be igs sorted in descending order with a being less than b if a’s expiry comes before b’s expiry.
Note: In order to remove interest groups expiring soonest first, sort interest groups based on their expiry in descending order.
-
For each i in the range from maxIgs to igs’s size, exclusive:
-
Remove sortedIgs[i] from the user agent's interest group set.
-
3. Leaving Interest Groups
3.1. leaveAdInterestGroup()
This first introductory paragraph is non-normative.
navigator.leaveAdInterestGroup() removes a user from a particular interest
group.
[SecureContext ]partial interface Navigator {Promise <undefined >leaveAdInterestGroup (optional AuctionAdInterestGroupKey = {}); };group dictionary {AuctionAdInterestGroupKey required USVString ;owner required USVString ; };name
The leaveAdInterestGroup(group) method steps are:
-
Let global be this's relevant global object.
-
Let frameOrigin be global’s origin.
-
Assert that frameOrigin is not an opaque origin and its scheme is "
https". -
Let p be a new promise.
-
If group is empty:
-
Let instance be global’s browsing context's fenced frame config instance.
-
If instance is null, then return.
-
Let interestGroup be instance’s interest group descriptor.
-
Run these steps in parallel:
-
Queue a global task on DOM manipulation task source, given global, to resolve p with
undefined. -
If interestGroup is not null:
-
Let owner be interestGroup’s owner.
-
If owner is same origin with frameOrigin, then remove interest groups from the user agent's interest group set whose owner is owner and name is interestGroup’s name.
-
-
-
-
Otherwise:
-
If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "
NotAllowedError"DOMException.Note: Both joining and leaving interest groups use the "join-ad-interest-group" feature.
-
Let owner be the result of parsing an https origin with group["
owner"]. -
Run these steps in parallel:
-
Let permission be the result of checking interest group permissions with owner, frameOrigin, and "
leave". -
If permission is false, then queue a global task on DOM manipulation task source, given global, to reject p with a "
NotAllowedError"DOMExceptionand abort these steps. -
Queue a global task on DOM manipulation task source, given global, to resolve p with
undefined. -
Remove interest groups from the user agent's interest group set whose owner is owner and name is group["
name"].
-
-
-
Return p.
3.2. clearOriginJoinedAdInterestGroups()
This first introductory paragraph is non-normative.
navigator.clearOriginJoinedAdInterestGroups() removes a user from interest groups whose joining origin is the associated Navigator's relevant settings object's top-level origin.
[SecureContext ]partial interface Navigator {Promise <undefined >clearOriginJoinedAdInterestGroups (USVString ,owner optional sequence <USVString >= []); };interestGroupsToKeep
The clearOriginJoinedAdInterestGroups(owner, interestGroupsToKeep) method steps are:
-
Let frameOrigin be this's relevant settings object's origin.
-
Assert that frameOrigin is not an opaque origin and its scheme is "
https". -
Let p be a new promise.
-
Let global be this's relevant global object.
-
If global’s associated Document is not allowed to use the "join-ad-interest-group" policy-controlled feature, then throw a "
NotAllowedError"DOMException.Note: Both joining and leaving interest groups use the "join-ad-interest-group" feature.
-
Let ownerOrigin be the result of parsing an https origin with owner.
-
Run these steps in parallel:
-
Let permission be the result of checking interest group permissions with ownerOrigin, frameOrigin, and "
leave". -
If permission is false, then queue a global task on the DOM manipulation task source given global, reject p with a "
NotAllowedError"DOMExceptionand abort these steps. -
Queue a global task on the DOM manipulation task source given global, to resolve p with
undefined. -
Remove interest groups from the user agent's interest group set whose owner is ownerOrigin, whose joining origin is frameOrigin, and whose name is not in interestGroupsToKeep.
-
-
Return p.
4. Running Ad Auctions
This first introductory paragraph is non-normative.
When a website or someone working on behalf of the website (e.g. a supply side platform, SSP) wants
to conduct an auction to select an advertisement to display to the user, they can call the navigator.runAdAuction() function, providing an auction configuration that
tells the browser how to conduct the auction and which on-device recorded interests are allowed to
bid in the auction for the chance to display their advertisement.
4.1. runAdAuction()
[SecureContext ]partial interface Navigator {Promise <(USVString or FencedFrameConfig )?>runAdAuction (AuctionAdConfig ); };config dictionary {AuctionAdConfig required USVString ;seller required USVString ;decisionLogicURL USVString ;trustedScoringSignalsURL long ;maxTrustedScoringSignalsURLLength sequence <USVString >;interestGroupBuyers Promise <any >;auctionSignals Promise <any >;sellerSignals Promise <DOMString >;directFromSellerSignalsHeaderAdSlot Promise <record <USVString ,USVString >>;deprecatedRenderURLReplacements unsigned long long ;sellerTimeout unsigned short ;sellerExperimentGroupId Promise <record <USVString ,any >>;perBuyerSignals Promise <record <USVString ,unsigned long long >>;perBuyerTimeouts Promise <record <USVString ,unsigned long long >>;perBuyerCumulativeTimeouts unsigned long long ;reportingTimeout USVString ;sellerCurrency Promise <record <USVString ,USVString >>;perBuyerCurrencies record <USVString ,unsigned short >;perBuyerGroupLimits record <USVString ,unsigned short >;perBuyerExperimentGroupIds record <USVString ,record <USVString ,double >>;perBuyerPrioritySignals sequence <DOMString >;requiredSellerCapabilities record <DOMString ,DOMString >;requestedSize sequence <record <DOMString ,DOMString >>;allSlotsRequestedSizes Promise <undefined >;additionalBids DOMString ;auctionNonce sequence <AuctionAdConfig >= [];componentAuctions AbortSignal ?;signal Promise <boolean >; };resolveToConfig
The runAdAuction(config) method steps are:
-
Let global be this's relevant global object.
-
Let settings be this's relevant settings object.
-
If global’s associated Document is not allowed to use the "run-ad-auction" policy-controlled feature, then throw a "
NotAllowedError"DOMException. -
Let auctionConfig be the result of running validate and convert auction ad config with config and true.
-
Optionally, throw a "
NotAllowedError"DOMException.Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the seller's site not being enrolled.
-
Let p be a new promise.
-
Let configMapping be global’s associated Document's node navigable's traversable navigable's fenced frame config mapping.
-
Let pendingConfig be the result of constructing a pending fenced frame config with auctionConfig.
-
Let urn be the result of running store a pending config on configMapping with pendingConfig.
-
If urn is failure, then resolve p with null and return p.
-
Let bidIgs be a new list of interest groups.
-
If config["
signal"] exists, then:-
Let signal be config["
signal"]. -
If signal is aborted, then reject p with signal’s abort reason and return p.
-
Add the following abort steps to signal:
-
Reject p with signal’s abort reason.
-
Run update bid counts with bidIgs.
-
Run interest group update with auctionConfig’s interest group buyers.
-
-
-
Let queue be the result of starting a new parallel queue.
-
Enqueue the following steps to queue:
-
Let bidDebugReportInfoList be a new list of bid debug reporting info.
-
Let winnerInfo be the result of running generate and score bids with auctionConfig, null, global, settings’s top-level origin, bidIgs, and bidDebugReportInfoList.
-
Let auctionReportInfo be a new auction report info.
-
If winnerInfo is not failure, then set auctionReportInfo to the result of running collect forDebuggingOnly reports with bidDebugReportInfoList and winnerInfo.
-
If winnerInfo is failure, then queue a global task on DOM manipulation task source, given global, to reject p with a "
TypeError". -
Otherwise if winnerInfo is null or winnerInfo’s leading bid is null:
-
Queue a global task on DOM manipulation task source, given global, to resolve p with null.
-
For each reportUrl of auctionReportInfo’s debug loss report urls:
-
Send report to reportUrl.
-
-
-
Otherwise:
-
Let winner be winnerInfo’s leading bid.
-
Let fencedFrameConfig be the result of filling in a pending fenced frame config with pendingConfig, auctionConfig, winnerInfo, and auctionReportInfo.
-
Finalize a pending config on configMapping with urn and fencedFrameConfig.
-
Wait until auctionConfig’s resolve to config is a boolean.
-
Let result be fencedFrameConfig.
-
If auctionConfig’s resolve to config is false, then set result to urn.
-
Queue a global task on the DOM manipulation task source, given global, to resolve p with result.
-
-
Run interest group update with auctionConfig’s interest group buyers.
-
Run update bid counts with bidIgs.
-
Run update previous wins with winner.
-
-
Return p.
To construct a pending fenced frame config given an auction config config:
-
Return a fenced frame config with the following items:
- mapped url
-
a struct with the following items:
- value
-
"about:blank" - visibility
-
"
opaque"
- container size
-
TODO: fill this in once container size is spec’d to be in config
- content size
-
null
- interest group descriptor
- on navigate callback
-
null
- effective sandbox flags
-
a struct with the following items:
- value
-
TODO: fill this in once fenced frame sandbox flags are more fully specified
- visibility
-
"
opaque"
- effective enabled permissions
- fenced frame reporting metadata
-
null
- exfiltration budget metadata
-
null
- nested configs
-
a struct with the following items:
- value
-
an empty list «»
- visibility
-
"
opaque"
- embedder shared storage context
-
null
To fill in a pending fenced frame config given a fenced frame config pendingConfig, auction config auctionConfig, leading bid info winningBidInfo, and auction report info auctionReportInfo:
-
Let winningBid be winningBidInfo’s leading bid.
-
Let replacements be an ordered map whose keys are strings and whose values are strings.
-
For each replacement in auctionConfig’s deprecated render url replacements:
-
Let k be replacement’s match.
-
Let v be replacement’s replacement.
-
Set replacements[k] to v.
-
-
Let replacedAdURL be the result of running substitute macros with replacements and winningBid’s ad descriptor's url.
-
Set pendingConfig’s mapped url's value to replacedAdURL.
-
Let adSize be winningBid’s ad descriptor's size.
-
Let concreteAdSize be the result of
resolving screen-relative sizes to pixel values for adSize. (WICG/turtledove#986)
-
Let adWidthString and adHeightString be the result of
converting concreteAdSize to strings. (WICG/turtledove#986)
-
Let sizeMacroMap be the ordered map «[ "{%AD_WIDTH%}" → adWidthString, "{%AD_HEIGHT%}" → adHeightString, "${AD_WIDTH}" → adWidthString, "${AD_HEIGHT}" → adHeightString]»
-
Set pendingConfig’s mapped url's value to the result of substituting macros with sizeMacroMap into winningBid’s ad descriptor's url.
-
If adSize is not null:
-
Set pendingConfig’s content size to a struct with the following items:
- value
-
concreteAdSize.
Cast concreteAdSize into the format that is eventually chosen for value. (WICG/turtledove#986)
- visibility
-
"
opaque"
-
-
Set pendingConfig’s interest group descriptor's value to a struct with the following items:
- owner
-
winningBid’s interest group's owner
- name
-
winningBid’s interest group's name
-
Let fencedFrameReportingMap be the map «[ "
buyer" → «», "seller" → «» ]». -
If auctionConfig’s component auctions is empty, then set fencedFrameReportingMap["
component-seller"] to an empty list «». -
Set pendingConfig’s fenced frame reporting metadata to a struct with the following items:
- value
-
A struct with the following items:
- fenced frame reporting map
-
fencedFrameReportingMap
- direct seller is seller
-
true if auctionConfig’s component auctions is empty, false otherwise
- allowed reporting origins
-
winningBid’s bid ad's allowed reporting origins
- visibility
-
"
opaque"
-
Set pendingConfig’s on navigate callback to an algorithm with these steps:
-
Asynchronously finish reporting with pendingConfig’s fenced frame reporting metadata's value's fenced frame reporting map, winningBidInfo and auctionReportInfo.
-
-
Let adComponentDescriptorsWithReplacements be a new list of ad descriptors.
-
If winningBid’s ad component descriptors is not null:
-
For each adComponentDescriptor of winningBid’s ad component descriptors:
-
Let descriptorWithReplacement be a new ad descriptor.
-
Set descriptorWithReplacement’s size to adComponentDescriptor’s size.
-
Set descriptorWithReplacement’s url to the result of running substitute macros with replacements and adComponentDescriptor’s url.
-
Append descriptorWithReplacement to adComponentDescriptorsWithReplacements.
-
-
-
Set pendingConfig’s nested configs's value to the result of running create nested configs with adComponentDescriptorsWithReplacements.
-
Return pendingConfig.
To asynchronously finish reporting given a fenced frame reporting map reportingMap, leading bid info leadingBidInfo, and auction report info auctionReportInfo.
-
Increment a winning bid’s k-anonymity count given leadingBidInfo’s leading bid.
-
If leadingBidInfo’s leading non-k-anon-enforced bid is not null, and leadingBidInfo’s leading non-k-anon-enforced bid's id ≠ leadingBidInfo’s leading bid's id, increment a winning bid’s k-anonymity count given leadingBidInfo’s leading non-k-anon-enforced bid.
-
Let buyerDone, sellerDone, and componentSellerDone be booleans, initially false.
-
If leadingBidInfo’s component seller is null, set componentSellerDone to true.
-
-
If buyerDone, sellerDone, and componentSellerDone are all true, then break.
-
Wait until one of the following fields of leadingBidInfo being not null:
-
If buyerDone is false and leadingBidInfo’s buyer reporting result is not null:
-
Let buyerMap be leadingBidInfo’s buyer reporting result's reporting beacon map.
-
If buyerMap is null, set buyerMap to an empty map «[]».
-
Let macroMap be leadingBidInfo’s buyer reporting result's reporting macro map.
-
Finalize a reporting destination with reportingMap,
buyer, buyerMap, and macroMap. -
Send report to leadingBidInfo’s buyer reporting result's report url.
-
Set buyerDone to true.
-
-
If sellerDone is false and leadingBidInfo’s seller reporting result is not null:
-
Let sellerMap be leadingBidInfo’s seller reporting result's reporting beacon map.
-
If sellerMap is null, set sellerMap to an empty map «[]».
-
Finalize a reporting destination with reportingMap,
seller, and sellerMap. -
Send report to leadingBidInfo’s seller reporting result's report url.
-
Set sellerDone to true.
-
-
If componentSellerDone is false and leadingBidInfo’s component seller reporting result is not null:
-
Let componentSellerMap be leadingBidInfo’s component seller reporting result's reporting beacon map.
-
If componentSellerMap is null, set componentSellerMap to an empty map «[]».
-
Finalize a reporting destination with reportingMap,
component-seller, and componentSellerMap. -
Send report to leadingBidInfo’s component seller reporting result's report url.
-
Set componentSellerDone to true.
-
-
-
For each reportUrl of auctionReportInfo’s debug win report urls:
-
Send report to report.
-
-
For each reportUrl of auctionReportInfo’s debug loss report urls:
-
Send report to report.
-
To create nested configs given ad component descriptors adComponentDescriptors:
-
Let nestedConfigs be an empty list «».
-
If adComponentDescriptors is null:
-
Return nestedConfigs.
-
-
For each adComponentDescriptor of adComponentDescriptors:
-
Let fencedFrameConfig be a fenced frame config with the following items:
- mapped url
-
a struct with the following items:
- value
-
adComponentDescriptor’s url
- visibility
-
"
opaque"
- container size
-
null
- content size
-
If adComponentDescriptor’s size is null, then null. Otherwise, a struct with the following items:
- value
-
adComponentDescriptor’s size TODO: Resolve screen-relative sizes and macros and cast this properly.
- visibility
-
"
opaque"
- interest group descriptor
-
null
- on navigate callback
-
null
- effective sandbox flags
-
a struct with the following items:
- value
-
TODO: fill this in once fenced frame sandbox flags are more fully specified
- visibility
-
"
opaque"
- effective enabled permissions
- fenced frame reporting metadata
-
null
- exfiltration budget metadata
-
null
- nested configs
-
a struct with the following items:
- value
-
an empty list «»
- visibility
-
"
opaque"
- embedder shared storage context
-
null
-
Append fencedFrameConfig to nestedConfigs.
-
-
Return nestedConfigs.
To validate and convert auction ad config given an AuctionAdConfig config and a boolean isTopLevel:
-
Assert that these steps are not running in parallel.
-
Let auctionConfig be a new auction config.
-
Let seller be the result of parsing an https origin with config["
seller"]. -
If seller is failure, then return failure.
-
Set auctionConfig’s seller to seller.
-
Let decisionLogicURL be the result of running the URL parser on config["
decisionLogicURL"]. -
If decisionLogicURL is failure, or it is not same origin with auctionConfig’s seller, then return failure.
-
Set auctionConfig’s decision logic url to decisionLogicURL.
-
If config["
trustedScoringSignalsURL"] exists:-
Let trustedScoringSignalsURL be the result of running the URL parser on config["
trustedScoringSignalsURL"]. -
If trustedScoringSignalsURL is failure, or it is not same origin with auctionConfig’s seller, then return failure.
-
Set auctionConfig’s trusted scoring signals url to trustedScoringSignalsURL.
-
-
If config["
maxTrustedScoringSignalsURLLength"] exists:-
If config["
maxTrustedScoringSignalsURLLength"] ≥ 0, set auctionConfig’s max trusted scoring signals url length to config["maxTrustedScoringSignalsURLLength"], otherwise throw aTypeError.
-
-
If config["
interestGroupBuyers"] exists:-
Let buyers be a new empty list.
-
For each buyerString in config["
interestGroupBuyers"]:-
Let buyer be the result of parsing an https origin with buyerString.
-
If buyer is failure, then return failure.
-
Append buyer to buyers.
-
-
Set auctionConfig’s interest group buyers to buyers.
-
-
If config["
auctionSignals"] exists:-
Set auctionConfig’s auction signals to config["
auctionSignals"]. -
Handle an input promise in configuration given auctionConfig and auctionConfig’s auction signals:
-
To parse the value result, set auctionConfig’s auction signals to the result of serializing a JavaScript value to a JSON string.
-
To handle an error, set auctionConfig’s auction signals to failure.
-
-
-
If config["
requestedSize"] exists:-
Let adSize be the result from running parse an AdRender ad size with config["
requestedSize"] -
Set auctionConfig’s requested size to adSize.
-
-
If config["
allSlotsRequestedSizes"] exists:-
If config["
allSlotsRequestedSizes"] is empty, throw aTypeError. -
Set auctionConfig’s all slots requested sizes to a new set.
-
For each adSizeValue in config["
allSlotsRequestedSizes"]:-
Let adSize be the result of running parse an AdRender ad size with adSizeValue.
-
If auctionConfig’s all slots requested sizes contains adSize, throw a
TypeError. -
Append adSize to auctionConfig’s all slots requested sizes.
-
-
If auctionConfig’s requested size is not null, and auctionConfig’s all slots requested sizes does not contain auctionConfig’s requested size, throw a
TypeError.
-
-
If config["
sellerSignals"] exists:-
Set auctionConfig’s seller signals to config["
sellerSignals"]. -
Handle an input promise in configuration given auctionConfig and auctionConfig’s seller signals:
-
To parse the value result, set auctionConfig’s seller signals to the result of serializing a JavaScript value to a JSON string, given result.
-
To handle an error, set auctionConfig’s seller signals to failure.
-
-
-
If config["
auctionNonce"] exists, then set auctionConfig’s auction nonce to the result of running get uuid from string with config["auctionNonce"]. -
If config["
additionalBids"] exists:-
Throw a
TypeErrorif any of the following conditions hold:-
config["
auctionNonce"] does not exist; -
config["
interestGroupBuyers"] does not exist, or is empty; -
config["
componentAuctions"] is not empty.
-
-
Set auctionConfig’s expects additional bids to true.
-
Handle an input promise in configuration given auctionConfig and config["
additionalBids"]:Note: The JavaScript code calling
runAdAuction()is responsible for not resolving config["additionalBids"] until additional bids have been retrieved from one or more `Ad-Auction-Additional-Bid` headers, as resolving this Promise early would cause a race condition in which additional bids might not be included in the auction. There are two ways that additional bids can be retrieved. The first is for the JavaScript code to issue a request whose initiator type is"fetch"and whoseadAuctionHeadersoption is set totrue. The JavaScript code has to resolve config["additionalBids"] after the corresponding call tofetch()has resolved to a response. The JavaScript code can also choose to wait to callrunAdAuction()until after the corresponding call tofetch()has resolved to a response, and can then immediately resolve config["additionalBids"].The second way that additional bids can be retrieved is by issuing an iframe navigation request with the
adauctionheaderscontent attribute set totrue. In this case, the JavaScript code is retrieved as part of the iframe navigation response, at which point the JavaScript code in the iframe makes the call torunAdAuction(), and config["additionalBids"] can be immediately resolved.-
To parse the value result:
-
Set auctionConfig’s expects additional bids to false.
-
-
To handle an error:
-
Set auctionConfig’s expects additional bids to failure.
-
-
-
-
If config["
directFromSellerSignalsHeaderAdSlot"] exists:-
Handle an input promise in configuration given auctionConfig and config["
directFromSellerSignalsHeaderAdSlot"]:Note: The JavaScript code calling
runAdAuction()is responsible for not resolving config["directFromSellerSignalsHeaderAdSlot"] until direct from seller signals have been retrieved from one or more `Ad-Auction-Signals` headers, as resolving this Promise early would cause a race condition in which the script runners might run without the direct from seller signals that it needs. There are two ways that direct from seller signals can be retrieved. The first is for the JavaScript code to issue a request whose initiator type is"fetch"and whoseadAuctionHeadersoption is set totrue. The JavaScript code has to resolve config["directFromSellerSignalsHeaderAdSlot"] after the corresponding call tofetch()has resolved to a response. The JavaScript code can also choose to wait to callrunAdAuction()until after the corresponding call tofetch()has resolved to a response, and can then immediately resolve config["directFromSellerSignalsHeaderAdSlot"]. The second way that direct from seller signals can be retrieved is by issuing an iframe navigation request with theadauctionheaderscontent attribute set totrue. In this case, the JavaScript code is retrieved as part of the iframe navigation response, at which point the JavaScript code in the iframe makes the call torunAdAuction(), and config["directFromSellerSignalsHeaderAdSlot"] can be can be specified directly without a Promise.-
To parse the value result:
-
Set auctionConfig’s direct from seller signals header ad slot to result.
-
-
To handle an error:
-
Set auctionConfig’s direct from seller signals header ad slot to failure.
-
-
-
-
If config["
deprecatedRenderURLReplacements"] exists:-
Set auctionConfig’s deprecated render url replacements to config["
deprecatedRenderURLReplacements"]. -
Handle an input promise in configuration given auctionConfig and auctionConfig’s deprecated render url replacements:
-
To parse the value result:
-
Let renderUrlReplacements be a new empty list of ad keyword replacements.
-
For each replacement in result:
-
If validate a url macro with replacement’s match returns false, then throw a
TypeError. -
Otherwise, append replacement to renderUrlReplacements.
-
-
Set auctionConfig’s deprecated render url replacements to renderUrlReplacements.
-
-
To handle an error, set auctionConfig’s deprecated render url replacements to failure.
-
-
-
If config["
sellerTimeout"] exists, set auctionConfig’s seller timeout to config["sellerTimeout"] in milliseconds or 500, whichever is smaller. -
Let reportingTimeout be config["
reportingTimeout"] if it exists, 50 otherwise. -
Set config["
reportingTimeout"] to reportingTimeout in milliseconds or 5000, whichever is smaller. -
If config["
sellerExperimentGroupId"] exists, then set auctionConfig’s seller experiment group id to config["sellerExperimentGroupId"]. -
If config["
sellerCurrency"] exists:-
If the result of checking whether a string is a valid currency tag on config["
sellerCurrency"] is false, then return failure. -
Set auctionConfig’s seller currency to config["
sellerCurrency"].
-
-
If config["
perBuyerSignals"] exists:-
Set auctionConfig’s per buyer signals to config["
perBuyerSignals"]. -
Handle an input promise in configuration given auctionConfig and auctionConfig’s per buyer signals:
-
To parse the value result:
-
Set auctionConfig’s per buyer signals to a new ordered map whose keys are origins and whose values are strings.
-
For each key → value of result:
-
Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a
TypeError. -
Let signalsString be the result of serializing a JavaScript value to a JSON string, given value.
-
Set auctionConfig’s per buyer signals[buyer] to signalsString.
-
-
-
To handle an error, set auctionConfig’s per buyer signals to failure.
-
-
-
For each idlTimeoutMember, perBuyerTimeoutField, allBuyersTimeoutField in the following table
IDL timeout member Per buyer timeout field All buyers timeout field " perBuyerTimeouts"per buyer timeouts all buyers timeout " perBuyerCumulativeTimeouts"per buyer cumulative timeouts all buyers cumulative timeout -
If config contains idlTimeoutMember:
-
Set auctionConfig’s perBuyerTimeoutField to config[idlTimeoutMember].
-
Handle an input promise in configuration given auctionConfig and auctionConfig’s perBuyerTimeoutField:
-
To parse the value result:
-
Set auctionConfig’s perBuyerTimeoutField to a new ordered map whose keys are origins and whose values are durations in milliseconds.
-
For each key → value of result:
-
If perBuyerTimeoutField is "
perBuyerTimeouts", and value > 500, then set value to 500. -
If key is "*", then set auctionConfig’s allBuyersTimeoutField to value in milliseconds, and continue.
-
Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a
TypeError. -
Set auctionConfig’s perBuyerTimeoutField[buyer] to value in milliseconds.
-
-
-
To handle an error, set auctionConfig’s perBuyerTimeoutField to failure.
-
-
-
-
If config["
perBuyerGroupLimits"] exists, for each key → value of config["perBuyerGroupLimits"]:-
If value is 0, then return failure.
-
If key is "*", then set auctionConfig’s all buyers group limit to value, and continue.
-
Let buyer be the result of parsing an https origin with key.
-
If buyer is failure, then return failure.
-
Set auctionConfig’s per buyer group limits[buyer] to value.
-
-
If config["
perBuyerExperimentGroupIds"] exists, for each key → value of config["perBuyerExperimentGroupIds"]:-
If key is "*", then set auctionConfig’s all buyer experiment group id to value, and continue.
-
Let buyer the result of parsing an https origin with key.
-
If buyer is failure, then return failure.
-
Set auctionConfig’s per buyer experiment group ids[buyer] to value.
-
-
If config["
perBuyerPrioritySignals"] exists, for each key → value of config["perBuyerPrioritySignals"]:-
Let signals be an ordered map whose keys are strings and whose values are
double. -
for each k → v of value:
-
If k starts with "browserSignals.", throw a
TypeError. -
Set signals[k] to v.
-
-
If key is "*", then set auctionConfig’s all buyers priority signals to value, and continue.
-
Let buyer be the result of parsing an https origin with key.
-
If buyer is failure, then return failure.
-
Set auctionConfig’s per buyer priority signals[buyer] to signals.
-
-
If config["
requiredSellerCapabilities"] exists:-
Let sellerCapabilities be a new set of seller capabilities.
-
For each capabilityString of config["
requiredSellerCapabilities"]: -
Set auctionConfig’s required seller capabilities to sellerCapabilities.
-
-
If config["
perBuyerCurrencies"] exists:-
Set auctionConfig’s per buyer currencies to config["
perBuyerCurrencies"] -
Handle an input promise in configuration given auctionConfig and auctionConfig’s per buyer currencies:
-
To parse the value result:
-
Set auctionConfig’s per buyer currencies to a new ordered map whose keys are origins and whose values are currency tags.
-
for each key → value of result:
-
If the result of checking whether a string is a valid currency tag given value is false, throw a
TypeError. -
If key is "*", then set auctionConfig’s all buyers currency to value, and continue.
-
Let buyer be the result of parsing an https origin with key. If buyer is failure, throw a
TypeError. -
Set auctionConfig’s per buyer currencies[buyer] to value.
-
-
-
To handle an error, set auctionConfig’s per buyer currencies to failure.
-
-
-
If config["
componentAuctions"] is not empty:-
If config["
interestGroupBuyers"] exists and is not empty, then return failure. -
If config["
deprecatedRenderURLReplacements"] exists, then throw aTypeError.
-
-
For each component in config["
componentAuctions"]:-
If isTopLevel is false, then return failure.
-
Let componentAuction be the result of running validate and convert auction ad config with component and false.
-
If componentAuction is failure, then return failure.
-
Append componentAuction to auctionConfig’s component auctions.
-
-
Set auctionConfig’s config idl to config.
-
If config["
resolveToConfig"] exists:-
Let auctionConfig’s resolve to config be config["
resolveToConfig"]. -
TODO: What should happen if this rejects?
-
Upon fulfillment of auctionConfig’s resolve to config with resolveToConfig, set auctionConfig’s resolve to config to resolveToConfig.
-
-
Return auctionConfig.
To validate a url macro given a string macro:
-
Return true if any of the following conditions hold:
-
macro starts with "'${'" and ends with "'}'";
-
macro starts with "'%%'" and ends with "'%%'".
-
-
Otherwise, return false.
To update bid count given a list of interest groups igs:
-
For each ig in igs:
-
Let loadedIg be the interest group from the user agent's interest group set whose owner is ig’s owner and whose name is ig’s name, continue if none found.
-
If the most recent entry in loadedIg’s bid counts corresponds to the current day in UTC, increment its count. If not, insert a new tuple of the time set to the current UTC day and a count of 1.
-
Replace the interest group that has loadedIg’s owner and name in the user agent's interest group set with loadedIg.
-
To update previous wins given a generated bid bid:
-
Let ig be bid’s interest group.
-
Let loadedIg be the interest group from the user agent's interest group set whose owner is ig’s owner and whose name is ig’s name, return if none found.
-
Let win be a new previous win.
-
Set win’s time to the current wall time.
-
Let ad be an interest group ad whose render url is bid’s bid ad's render url, and whose metadata is bid’s bid ad's metadata.
-
Set win’s ad json to the result of serializing an Infra value to a JSON string given ad.
-
Append win to loadedIg’s previous wins.
-
Replace the interest group that has loadedIg’s owner and name in the user agent's interest group set with loadedIg.
To build bid generators map given an auction config auctionConfig:
-
Let bidGenerators be a new ordered map whose keys are origins and whose values are per buyer bid generators.
-
Let negativeTargetInfo be a new negative target info.
-
For each buyer in auctionConfig’s interest group buyers:
-
For each ig of the user agent's interest group set whose owner is buyer:
-
Let igName be ig’s name.
-
If ig’s additional bid key is not null:
-
Set negativeTargetInfo[(buyer, igName)] to (ig’s joining origin, ig’s additional bid key).
-
-
Continue if any of the following conditions hold:
-
ig’s bidding url is null;
-
the result of running check if required seller capabilities are permitted with auctionConfig and ig is false.
-
-
Let signalsUrl be ig’s trusted bidding signals url.
-
Let slotSizeQueryParam be the result of calculating the ad slot size query param given ig and auctionConfig.
-
Let joiningOrigin be ig’s joining origin.
-
If bidGenerators does not contain buyer:
-
Let perBuyerGenerator be a new per buyer bid generator.
-
Let perSignalsUrlGenerator be a new per signals url bid generator.
-
Set perSignalsUrlGenerator[joiningOrigin] to « ig ».
-
Set perSlotSizeQueryParam[slotSizeQueryParam] to perSignalsUrlGenerator.
-
Set perBuyerGenerator[signalsUrl] to perSlotSizeQueryParam.
-
Set bidGenerators[buyer] to perBuyerGenerator.
-
TODO: add a perBiddingScriptUrlGenerator layer that replaces the list of IGs with a map from biddingScriptUrl to a list of IGs.
-
-
Otherwise:
-
Let perBuyerGenerator be bidGenerators[buyer].
-
If perBuyerGenerator does not contain signalsUrl:
-
Let perSignalsUrlGenerator be a new per signals url bid generator.
-
Set perSignalsUrlGenerator[joiningOrigin] to « ig ».
-
Set perSlotSizeQueryParam[slotSizeQueryParam] to perSignalsUrlGenerator.
-
Set perBuyerGenerator[signalsUrl] to perSlotSizeQueryParam.
-
-
Otherwise:
-
Let perSlotSizeQueryParam be perBuyerGenerator[signalsUrl].
-
If perSlotSizeQueryParam does not contain slotSizeQueryParam:
-
Let perSignalsUrlGenerator be a new per signals url bid generator.
-
Set perSignalsUrlGenerator[joiningOrigin] to « ig ».
-
Set perSlotSizeQueryParam[slotSizeQueryParam] to perSignalsUrlGenerator.
-
-
Otherwise:
-
-
-
-
-
Return « bidGenerators, negativeTargetInfo ».
To check if required seller capabilities are permitted given an auction config auctionConfig and an interest group ig:
-
Let seller be auctionConfig’s seller.
-
Let requiredSellerCapabilities be auctionConfig’s required seller capabilities.
-
Return true if all of the following conditions hold:
-
ig’s seller capabilities is not null;
-
ig’s seller capabilities[seller] exists;
-
requiredSellerCapabilities is a subset of ig’s seller capabilities[seller].
-
-
Return false.
To generate a bid given an ordered map allTrustedBiddingSignals, a string auctionSignals, a BiddingBrowserSignals browserSignals, a string-or-null perBuyerSignals,
a DirectFromSellerSignalsForBuyer directFromSellerSignalsForBuyer, a duration perBuyerTimeout in milliseconds, a currency tag expectedCurrency, an interest group ig,
and a moment auctionStartTime:
-
Let igGenerateBid be the result of building an interest group passed to generateBid with ig.
-
Set browserSignals["
joinCount"] to the sum of ig’s join counts for all days within the last 30 days. -
Set browserSignals["
recency"] to the current wall time minus ig’s join time, in milliseconds. -
Set browserSignals["
bidCount"] to the sum of ig’s bid counts for all days within the last 30 days. -
Set browserSignals["
adComponentsLimit"] to 40. -
Let prevWins be a new
sequence<.PreviousWin> -
For each prevWin of ig’s previous wins for all days within the the last 30 days:
-
Let timeDelta be auctionStartTime minus prevWin’s time.
-
Set timeDelta to 0 if timeDelta is negative, timeDelta’s nearest second (rounding down) otherwise.
-
Let prevWinIDL be a new
PreviousWin. -
Append prevWinIDL to prevWins.
-
-
Set browserSignals["
prevWinsMs"] to prevWins. -
Let biddingScript be the result of fetching script with ig’s bidding url.
-
If biddingScript is failure, return failure.
-
If ig’s bidding wasm helper url is not null:
-
Let wasmModuleObject be the result of fetching WebAssembly with ig’s bidding wasm helper url.
-
If wasmModuleObject is not failure, then set browserSignals["
wasmHelper"] to wasmModuleObject.
-
-
Let trustedBiddingSignals be an ordered map whose keys are strings and whose values are
any. -
For each key of ig’s trusted bidding signals keys:
-
If allTrustedBiddingSignals is an ordered map and allTrustedBiddingSignals[key] exists, then set trustedBiddingSignals[key] to allTrustedBiddingSignals[key].
-
-
Return the result of evaluating a bidding script with biddingScript, ig, expectedCurrency, igGenerateBid, auctionSignals, perBuyerSignals, trustedBiddingSignals, browserSignals, directFromSellerSignalsForBuyer, and perBuyerTimeout.
To generate and score bids given an auction config auctionConfig, an auction config-or-null topLevelAuctionConfig, a global object global, an origin topLevelOrigin, a list of interest groups bidIgs, and a list of bid debug reporting info bidDebugReportInfoList:
-
Assert that these steps are running in parallel.
-
Let auctionStartTime be the current wall time.
-
Let decisionLogicScript be the result of fetching script with auctionConfig’s decision logic url.
-
If decisionLogicScript is failure, return null.
-
Let seller be auctionConfig’s seller.
-
Let « bidGenerators, negativeTargetInfo » be the result of running build bid generators map with auctionConfig.
-
Let leadingBidInfo be a new leading bid info.
-
Let queue be the result of starting a new parallel queue.
-
Let capturedAuctionHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured ad auction signals headers.
-
If auctionConfig’s component auctions are not empty:
-
Assert topLevelAuctionConfig is null.
-
Let pendingComponentAuctions be auctionConfig’s component auctions's size.
-
Let topLevelDirectFromSellerSignalsForSeller be null.
-
Let topLevelDirectFromSellerSignalsRetrieved be false.
-
For each component in auctionConfig’s component auctions, enqueue the following steps to queue:
-
Let compWinnerInfo be the result of running generate and score bids with component, auctionConfig, global, topLevelOrigin, bidIgs, and bidDebugReportInfoList.
-
If compWinnerInfo is failure, return failure.
-
If recursively wait until configuration input promises resolve given auctionConfig returns failure, return failure.
-
If topLevelDirectFromSellerSignalsRetrieved is false:
-
Let topLevelDirectFromSellerSignals be the result of running get direct from seller signals given seller, auctionConfig’s direct from seller signals header ad slot, and capturedAuctionHeaders.
-
Let topLevelDirectFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given topLevelDirectFromSellerSignals.
-
Set topLevelDirectFromSellerSignalsRetrieved to true.
-
-
If compWinnerInfo’s leading bid is not null, then run score and rank a bid with auctionConfig, compWinnerInfo’s leading bid, leadingBidInfo, decisionLogicScript, null, "top-level-auction", null, and topLevelOrigin.
-
If compWinnerInfo’s leading non-k-anon-enforced bid is not null, then run score and rank a bid with auctionConfig, compWinnerInfo’s leading non-k-anon-enforced bid, leadingBidInfo, decisionLogicScript, null, "top-level-auction", null, and topLevelOrigin.
-
Decrement pendingComponentAuctions by 1.
-
-
Wait until pendingComponentAuctions is 0.
-
If leadingBidInfo’s leading bid is null, return null.
-
Let winningComponentConfig be leadingBidInfo’s auction config.
-
Set leadingBidInfo’s auction config to auctionConfig.
-
Set leadingBidInfo’s component seller to winningComponentConfig’s seller.
-
Let « topLevelSellerSignals, unusedTopLevelReportResultBrowserSignals » be the result of running report result with leadingBidInfo, topLevelDirectFromSellerSignalsForSeller, winningComponentConfig, and global.
-
Set leadingBidInfo’s auction config to winningComponentConfig.
-
Set leadingBidInfo’s component seller to null.
-
Set leadingBidInfo’s top level seller to seller.
-
Set leadingBidInfo’s top level seller signals to topLevelSellerSignals.
-
Let directFromSellerSignals be the result of running get direct from seller signals given winningComponentConfig’s seller, winningComponentConfig’s direct from seller signals header ad slot, and capturedAuctionHeaders.
-
Let directFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given directFromSellerSignals.
-
Let directFromSellerSignalsForBuyer be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and leadingBidInfo’s leading bid's interest group's owner.
-
Let « sellerSignals, reportResultBrowserSignals » be the result of running report result with leadingBidInfo, directFromSellerSignalsForSeller, null, and global.
-
Run report win with leadingBidInfo, sellerSignals, reportResultBrowserSignals, and directFromSellerSignalsForBuyer.
-
Return leadingBidInfo.
-
-
If waiting until configuration input promises resolve given auctionConfig returns failure, then return failure.
-
Let allBuyersExperimentGroupId be auctionConfig’s all buyer experiment group id.
-
Let allBuyersGroupLimit be auctionConfig’s all buyers group limit.
-
Let auctionSignals be auctionConfig’s auction signals.
-
Let directFromSellerSignals be the result of running get direct from seller signals given seller, auctionConfig’s direct from seller signals header ad slot, and capturedAuctionHeaders.
-
Let directFromSellerSignalsForSeller be the result of running get direct from seller signals for a seller given directFromSellerSignals.
-
Let browserSignals be a
BiddingBrowserSignals. -
Let topLevelHost be the result of running the host serializer on topLevelOrigin’s host.
-
Set browserSignals["
topWindowHostname"] to topLevelHost. -
Set browserSignals["
seller"] to the serialization of seller. -
Let auctionLevel be "single-level-auction".
-
Let componentAuctionExpectedCurrency be null.
-
If topLevelAuctionConfig is not null:
-
Set browserSignals["
topLevelSeller"]] to the serialization of topLevelAuctionConfig’s seller. -
Set auctionLevel to "component-auction".
-
Set componentAuctionExpectedCurrency to the result of looking up per-buyer currency with topLevelAuctionConfig and seller.
-
-
Let pendingBuyers be bidGenerators’s size.
-
Let additionalBids be the result of running validate and convert additional bids with auctionConfig, topLevelAuctionConfig, negativeTargetInfo and global.
-
Let pendingAdditionalBids be the size of additionalBids.
-
For each additionalBid of additionalBids, run the following steps in parallel:
-
Score and rank a bid with auctionConfig, additionalBid, leadingBidInfo, decisionLogicScript, null, auctionLevel, componentAuctionExpectedCurrency, and topLevelOrigin.
-
Decrement pendingAdditionalBids by 1.
-
-
Let settings be global’s relevant settings object.
-
For each buyer → perBuyerGenerator of bidGenerators, enqueue the following steps to queue:
-
Let perBuyerCumulativeTimeout be auctionConfig’s all buyers cumulative timeout.
-
If auctionConfig’s per buyer cumulative timeouts is not null and per buyer cumulative timeouts[buyer] exists, then set perBuyerCumulativeTimeout to auctionConfig’s per buyer cumulative timeouts[buyer].
-
Let buyerExperimentGroupId be allBuyersExperimentGroupId.
-
Let perBuyerExperimentGroupIds be auctionConfig’s per buyer experiment group ids.
-
If perBuyerExperimentGroupIds is not null and perBuyerExperimentGroupIds[buyer] exists, then set buyerExperimentGroupId to perBuyerExperimentGroupIds[buyer].
-
Apply interest groups limits to prioritized list:
-
Let buyerGroupLimit be allBuyersGroupLimit.
-
Let perBuyerGroupLimits be auctionConfig’s per buyer group limits.
-
If perBuyerGroupLimits is not null and perBuyerGroupLimits[buyer] exists, then set buyerGroupLimit to perBuyerGroupLimits[buyer].
-
Let igs be a new list of interest groups.
-
For each signalsUrl → perSlotSizeQueryParam of perBuyerGenerator:
-
Sort in descending order igs, with a being less than b if a’s priority is less than b’s priority.
-
Remove the first buyerGroupLimit items from igs.
-
For each signalsUrl → perSlotSizeQueryParam of perBuyerGenerator:
-
For each slotSizeQueryParam → perSignalsUrlGenerator of perSlotSizeQueryParam:
-
For each joiningOrigin → groups of perSignalsUrlGenerator:
-
Remove from groups any interest group contained in igs.
-
-
-
-
-
Let perBuyerSignals be null.
-
If auctionConfig’s per buyer signals is not null and per buyer signals[buyer] exists, then set perBuyerSignals to auctionConfig’s per buyer signals[buyer].
-
Let perBuyerTimeout be auctionConfig’s all buyers timeout.
-
If auctionConfig’s per buyer timeouts is not null and per buyer timeouts[buyer] exists, then set perBuyerTimeout to auctionConfig’s per buyer timeouts[buyer].
-
Let expectedCurrency be the result of looking up per-buyer currency with auctionConfig and buyer.
-
Set browserSignals["
forDebuggingOnlyInCooldownOrLockout"] to the result of running is debugging only in cooldown or lockout with buyer. -
For each slotSizeQueryParam → perSlotSizeQueryParam of perBuyerGenerator:
-
For each signalsUrl → perSignalsUrlGenerator of perSlotSizeQueryParam:
-
Let allTrustedBiddingSignals be an ordered map whose keys are strings, and values are strings.
-
Let keys be a new ordered set.
-
Let igNames be a new ordered set.
-
Let lengthLimit be the maximum value that a
longinteger can hold. -
Let fetchSignalStartTime be settings’s current monotonic time.
-
For each joiningOrigin → groups of perSignalsUrlGenerator:
-
For each ig of groups:
-
Let putativeKeys be a clone of keys.
-
Let putativeIgNames be a clone of igNames.
-
Let putativeLengthLimit be ig’s max trusted bidding signals url length.
-
If ig’s max trusted bidding signals url length is 0 or
>lengthLimit, then set putativeLengthLimit to lengthLimit. -
Extend putativeKeys with ig’s trusted bidding signals keys.
-
Let biddingSignalsUrl be the result of building trusted bidding signals url with signalsUrl, putativeKeys, putativeIgNames, buyerExperimentGroupId, topLevelOrigin, and slotSizeQueryParam.
-
If serialized biddingSignalsUrl’s length ≤ putativeLengthLimit:
-
Set keys to putativeKeys.
-
Set igNames to putativeIgNames.
-
Set lengthLimit to putativeLengthLimit.
-
-
Otherwise:
-
Let biddingSignalsUrl be the result of building trusted bidding signals url with signalsUrl, keys, igNames, buyerExperimentGroupId, topLevelOrigin, and slotSizeQueryParam.
-
Let « partialTrustedBiddingSignals, dataVersion » be the result of fetching trusted signals with biddingSignalsUrl and true.
-
For each key → value in partialTrustedBiddingSignals:
-
Set allTrustedBiddingSignals[key] to value.
-
-
Set keys to a clone of ig’s trusted bidding signals keys.
-
Set igNames to « ig’s name ».
-
Set ig’s max trusted bidding signals url length to lengthLimit.
-
-
-
Let biddingSignalsUrl be the result of building trusted bidding signals url with signalsUrl, keys, igNames, buyerExperimentGroupId, topLevelOrigin, and slotSizeQueryParam.
-
Let « partialTrustedBiddingSignals, dataVersion » be the result of fetching trusted signals with biddingSignalsUrl and true.
-
For each key → value in partialTrustedBiddingSignals:
-
Set allTrustedBiddingSignals[key] to value.
-
-
-
If dataVersion is not null, then set browserSignals["
dataVersion"] to dataVersion. -
Let fetchSignalDuration be the duration from fetchSignalStartTime to settings’s current monotonic time, in milliseconds.
-
If perBuyerCumulativeTimeout is not null, then decrement perBuyerCumulativeTimeout by fetchSignalDuration.
-
For each joiningOrigin → groups of perSignalsUrlGenerator:
-
For each ig of groups:
-
If perBuyerCumulativeTimeout is negative, then break.
-
If ig’s bidding url is null, continue.
-
If perBuyerCumulativeTimeout is not null and is less than perBuyerTimeout, then set perBuyerTimeout to perBuyerCumulativeTimeout.
-
Let generateBidStartTime be settings’s current monotonic time.
-
Let directFromSellerSignalsForBuyer be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and ig’s owner.
-
Let « generatedBid, bidDebugReportInfo » be the result of generate a bid given allTrustedBiddingSignals, auctionSignals, a clone of browserSignals, perBuyerSignals, directFromSellerSignalsForBuyer, perBuyerTimeout, expectedCurrency, ig, and auctionStartTime.
-
Let generateBidDuration be the duration from generateBidStartTime to settings’s current monotonic time, in milliseconds.
-
If perBuyerCumulativeTimeout is not null, decrement perBuyerCumulativeTimeout by generateBidDuration.
-
If generatedBid is null:
-
Register a bid for forDebuggingOnly reports given null, bidDebugReportInfo, and bidDebugReportInfoList.
-
-
Let bidsToScore be a new list of generated bids
-
If query generated bid k-anonymity count given generatedBid returns true:
-
Let bidCopy be a clone of generatedBid.
-
Set bidCopy’s for k-anon auction to false.
-
Append bidCopy to bidsToScore.
-
Append generatedBid to bidsToScore.
Note: Conceptually, a bid that’s already k-anonymous is considered for both the k-anonymous and non-enforcing-k-anonymity leadership.
-
Register a bid for forDebuggingOnly reports given generatedBid, bidDebugReportInfo, and bidDebugReportInfoList.
-
-
Otherwise:
Note: Generate a bid is now rerun with only k-anonymous ads to give the buyer a chance to generate a bid for k-anonymous ads. Allowing the buyer to first generate a bid for non-k-anonymous ads provides a mechanism to bootstrap the k-anonymity count, otherwise no ads would ever trigger increment k-anonymity count and all ads would fail query k-anonymity count.
-
Set generatedBid’s for k-anon auction to false.
-
Append generatedBid to bidsToScore.
-
Let originalAds be ig’s ads.
-
If originalAds is not null:
-
Set ig’s ads to a new list of interest group ad.
-
For each ad in originalAds:
-
If query ad k-anonymity count given ig and ad’s render url returns true, append ad to ig’s ads.
-
-
-
Let originalAdComponents be ig’s ad components.
-
If originalAdComponents is not null:
-
Set ig’s ad components to a new list of interest group ad.
-
For each adComponent in originalAdComponents:
-
If query component ad k-anonymity count given adComponent’s render url returns true, append adComponent to ig’s ad components.
-
-
-
If perBuyerCumulativeTimeout is not null and is < perBuyerTimeout, then set perBuyerTimeout to perBuyerCumulativeTimeout.
-
Let generateBidStartTime be settings’s current monotonic time.
-
Set « generatedBid, bidDebugReportInfo » to the result of generate a bid given allTrustedBiddingSignals, auctionSignals, a clone of browserSignals, perBuyerSignals, directFromSellerSignalsForBuyer, perBuyerTimeout, expectedCurrency, ig, and auctionStartTime.
-
Set ig’s ads to originalAds.
-
Set ig’s ad components to originalAdComponents.
-
Let generateBidDuration be the duration from generateBidStartTime to settings’s current monotonic time, in milliseconds.
-
If perBuyerCumulativeTimeout is not null, then decrement perBuyerCumulativeTimeout by generateBidDuration.
-
If generatedBid is a generated bid:
-
Assert that query generated bid k-anonymity count given generatedBid returns true.
-
Append generatedBid to bidsToScore.
-
Register a bid for forDebuggingOnly reports given generatedBid, bidDebugReportInfo and bidDebugReportInfoList.
-
-
If generatedBid is null, register a bid for forDebuggingOnly reports given null, bidDebugReportInfo and bidDebugReportInfoList.
-
-
For each bidToScore of bidsToScore:
-
If bidToScore’s for k-anon auction is true, append bidToScore’s interest group to bidIgs.
-
Score and rank a bid with auctionConfig, bidToScore, leadingBidInfo, decisionLogicScript, directFromSellerSignalsForSeller, dataVersion, auctionLevel, componentAuctionExpectedCurrency, and topLevelOrigin.
-
-
-
-
-
-
Decrement pendingBuyers by 1.
-
-
Wait until both pendingBuyers and pendingAdditionalBids are 0.
-
If leadingBidInfo’s leading bid is null, return null.
-
If topLevelAuctionConfig is null:
-
Let « sellerSignals, reportResultBrowserSignals » be the result of running report result with leadingBidInfo, directFromSellerSignalsForSeller, null, and global.
-
Let directFromSellerSignalsForWinner be the result of running get direct from seller signals for a buyer with directFromSellerSignals, and leadingBidInfo’s leading bid's interest group's owner.
-
Run report win with leadingBidInfo, sellerSignals, reportResultBrowserSignals, and directFromSellerSignalsForWinner.
-
-
Let replacements be an ordered map whose keys are strings and whose values are strings.
-
For each ad keyword replacement, replacement, within deprecated render url replacements:
-
Let k be replacement’s match.
-
Let v be replacement’s replacement.
-
Set replacements[k] to v.
-
-
-
Set leadingBidInfo’s leading bid's ad descriptor to the result of substitute macros with replacements and leading bid's ad descriptor.
-
If leadingBidInfo’s leading bid's ad descriptors is not null:
-
For each ad descriptor, adDescriptor, within leading bid's ad descriptors:
-
Set adDescriptor to the result of substitute macros with replacements and adDescriptor.
-
-
-
Return leadingBidInfo.
-
Let igGenerateBid be a new
GenerateBidInterestGroupwith the following fields:owner- The serialization of ig’s owner
name- ig’s name
enableBiddingSignalsPrioritization- ig’s enable bidding signals prioritization
priorityVector- ig’s priority vector if not null, otherwise
undefined executionMode- ig’s execution mode
biddingLogicURL- The serialization-or-undefined of ig’s bidding url
biddingWasmHelperURL- The serialization of ig’s bidding wasm helper url
updateURL- The serialization of ig’s update url
trustedBiddingSignalsURL- The serialization of ig’s trusted bidding signals url
trustedBiddingSignalsKeys- ig’s trusted bidding signals keys
trustedBiddingSignalsSlotSizeMode- ig’s trusted bidding signals slot size mode
maxTrustedBiddingSignalsURLLength- ig’s max trusted bidding signals url length
userBiddingSignals- Parse a JSON string to a JavaScript value given ig’s user bidding signals
ads- ig’s ads converted to an AuctionAd sequence
adComponents- ig’s ad components converted to an AuctionAd sequence
-
Return igGenerateBid.
-
If ads is null, then return
undefined. -
For each ad of ads:
-
Let adIDL be a new
AuctionAd. -
Set adIDL["
renderURL"] to the serialization of ad’s render url. -
If ad’s metadata is not null, then set adIDL["
metadata"] to the result of parsing a JSON string to a JavaScript value given ad’s metadata. -
Append adIDL to adsIDL.
-
-
Return adsIDL.
DirectFromSellerSignalsForSeller directFromSellerSignalsForSeller, an unsigned long-or-null biddingDataVersion, an enum auctionLevel, which is "single-level-auction", "top-level-auction",
or "component-auction", a currency tag componentAuctionExpectedCurrency, and an origin topLevelOrigin:
-
Let renderURL be serialized generatedBid’s ad descriptor's url.
-
Let adComponentRenderURLs be a new empty list.
-
If generatedBid’s ad component descriptors is not null:
-
For each adComponentDescriptor in generatedBid’s ad component descriptors:
-
Append serialized adComponentDescriptor’s url to adComponentRenderURLs.
-
-
-
Let fullSignalsUrl be the result of building trusted scoring signals url with auctionConfig’s trusted scoring signals url, «renderURL», adComponentRenderURLs, auctionConfig’s seller experiment group id, and topLevelOrigin.
Implementations may batch requests by collecting render URLs and ad component render URLs from multiple invocations of score and rank a bid and passing them all to a single invocation of building trusted scoring signals url to get a scoringSignalsUrl. By employing this approach, the length of serialized scoringSignalsUrl must not exceed the
max trusted scoring signals url length of the auction. In cases where the length limit is exceeded, the request must be divided into smaller pieces to comply with the length restriction. However, note that a single request is always considered valid, regardless of whether its length exceeds the auction’s max trusted scoring signals url length.
The network response has to be parsed to pull out the pieces relevant to each evaluation of a scoring script.
-
Let trustedScoringSignals be null.
-
Let «allTrustedScoringSignals, scoringDataVersion» be the result of fetching trusted signals with fullSignalsUrl and false.
-
If allTrustedScoringSignals is an ordered map:
-
Set trustedScoringSignals to a new empty map.
-
If allTrustedScoringSignals["
renderURLs"] exists and allTrustedScoringSignals["renderURLs"][renderURL] exists, then set trustedScoringSignals["renderURL"][renderURL] to allTrustedScoringSignals["renderURLs"][renderURL]. -
If adComponentRenderURLs is not empty:
-
-
Let adMetadata be generatedBid’s ad.
-
Let bidValue be generatedBid’s bid.
-
If generatedBid’s modified bid is not null, then set bidValue to generatedBid’s modified bid.
-
Let owner be generatedBid’s interest group's owner.
-
Let seller be auctionConfig’s seller.
-
Let browserSignals be a
ScoringBrowserSignalswith the following fields:topWindowHostname- The result of running the host serializer on topLevelOrigin’s host
interestGroupOwner- Serialized owner
renderURL- The result of running the URL serializer on generatedBid’s ad descriptor's url
biddingDurationMsec- generatedBid’s bid duration
bidCurrency- The result of serializing a currency tag with generatedBid’s bid's currency
dataVersion- scoringDataVersion if it is not null,
undefinedotherwise adComponents- generatedBid’s ad component descriptors converted to a string sequence
forDebuggingOnlyInCooldownOrLockout- The result of running is debugging only in cooldown or lockout with seller
-
Let « scoreAdResult, debugWinReportUrl, debugLossReportUrl » be the result of evaluating a scoring script with decisionLogicScript, adMetadata, bidValue’s value, auctionConfig’s config idl, trustedScoringSignals, browserSignals, directFromSellerSignalsForSeller, and auctionConfig’s seller timeout.
-
If auctionLevel is "top-level-auction":
-
Set bidDebugReportInfo’s top level seller debug loss report url to debugLossReportUrl.
-
Set bidDebugReportInfo’s top level seller debug win report url to debugWinReportUrl.
-
-
Otherwise:
-
Set bidDebugReportInfo’s seller debug loss report url to debugLossReportUrl.
-
Set bidDebugReportInfo’s seller debug win report url to debugWinReportUrl.
-
-
Let scoreAdOutput be result of processing scoreAd output with scoreAdResult.
-
If auctionLevel is "component-auction", then set generatedBid’s component seller and bidDebugReportInfo’s component seller to seller.
-
Return if any of the following conditions hold:
-
scoreAdOutput is failure;
-
auctionLevel| is not "single-level-auction", and scoreAdOutput ["
allowComponentAuction"] is false; -
scoreAdOutput["
desirability"] ≤ 0.
-
-
If auctionLevel is "component-auction":
-
Let bidToCheck be generatedBid’s bid.
-
If scoreAdOutput["
bid"] exists:-
Let modifiedBidValue be scoreAdOutput["
bid"]. -
If modifiedBidValue ≤ 0, return.
-
Let modifiedBidCurrency be null.
-
If scoreAdOutput["
bidCurrency] exists, then set modifiedBidCurrency to scoreAdOutput["bidCurrency]. -
Set generatedBid’s modified bid to a bid with currency with value modifiedBidValue and currency modifiedBidCurrency.
-
Set bidToCheck to generatedBid’s modified bid.
-
-
If the result of checking a currency tag with componentAuctionExpectedCurrency and bidToCheck’s currency is false, return.
-
If the result of checking a currency tag with auctionConfig’s seller currency and bidToCheck’s currency is false, return.
-
-
If auctionConfig’s seller currency is not null:
-
If generatedBid’s bid's currency is equal to auctionConfig’s seller currency:
-
Set generatedBid’s bid in seller currency to generatedBid’s bid's value.
-
If scoreAdOutput["
incomingBidInSellerCurrency"] exists and does not equal generatedBid’s bid in seller currency, return.
-
-
Otherwise if scoreAdOutput["
incomingBidInSellerCurrency"] exists, then set generatedBid’s bid in seller currency to scoreAdOutput["incomingBidInSellerCurrency"].
-
-
Let score be scoreAdOutput["
desirability"]. -
If generatedBid’s for k-anon auction is false:
-
Let updateLeadingNonKAnonEnforcedBid be false.
-
If leadingBidInfo’s leading non-k-anon-enforced bid is null, or score > leadingBidInfo’s top non-k-anon-enforced score:
-
Set updateLeadingNonKAnonEnforcedBid to true.
-
Set leadingBidInfo’s top non-k-anon-enforced bids count to 1.
-
-
If leadingBidInfo’s leading non-k-anon-enforced bid is not null and score = leadingBidInfo’s top non-k-anon-enforced score:
-
Increment leadingBidInfo’s top non-k-anon-enforced bids count by 1.
-
Set updateLeadingNonKAnonEnforcedBid to true with 1 in leadingBidInfo’s top non-k-anon-enforced bids count chance.
-
-
If updateLeadingNonKAnonEnforcedBid is true:
-
Set leadingBidInfo’s top non-k-anon-enforced score to score.
-
Set leadingBidInfo’s leading non-k-anon-enforced bid to generatedBid.
-
-
Return.
-
-
Let updateLeadingBid be false.
-
If leadingBidInfo’s leading bid is null, or score > leadingBidInfo’s top score:
-
Set updateLeadingBid to true.
-
Set leadingBidInfo’s top bids count to 1.
-
Set leadingBidInfo’s at most one top bid owner to true.
-
-
Otherwise if score equals leadingBidInfo’s top score:
-
Increment leadingBidInfo’s top bids count by 1.
-
Set updateLeadingBid to true with 1 in leadingBidInfo’s top bids count chance.
-
If updateLeadingBid is false, then update highest scoring other bid with score, leadingBidInfo’s leading bid, and leadingBidInfo.
-
If owner is not same origin with leadingBidInfo’s leading bid's interest group's owner, then set leadingBidInfo’s at most one top bid owner to false.
-
-
Otherwise if score is greater than or equal to leadingBidInfo’s second highest score, then update highest scoring other bid with score, bidValue, and leadingBidInfo.
-
If updateLeadingBid is true:
-
If leadingBidInfo’s leading bid is not null, then update highest scoring other bid with leadingBidInfo’s top score, leadingBidInfo’s leading bid, and leadingBidInfo.
-
Set leadingBidInfo’s top score to score.
-
Set leadingBidInfo’s leading bid to generatedBid.
-
Set leadingBidInfo’s auction config to auctionConfig.
-
Set leadingBidInfo’s bidding data version to biddingDataVersion.
-
Set leadingBidInfo’s scoring data version to scoringDataVersion.
-
double score, a generated bid-or-null bid, and a leading bid info leadingBidInfo:
-
If bid is null, return.
-
Let owner be bid’s interest group's owner.
-
If score is greater than leadingBidInfo’s second highest score:
-
Set leadingBidInfo’s highest scoring other bid to bid.
-
Set leadingBidInfo’s highest scoring other bids count to 1.
-
Set leadingBidInfo’s second highest score to score.
-
Set leadingBidInfo’s highest scoring other bid owner to owner if leadingBidInfo’s at most one top bid owner is true, null otherwise.
-
-
Otherwise if score is equal to leadingBidInfo’s second highest score:
-
Increment leadingBidInfo’s highest scoring other bids count by 1.
-
Set leadingBidInfo’s highest scoring other bid to bid with 1 in leadingBidInfo’s highest scoring other bids count chance.
-
If leadingBidInfo’s highest scoring other bid owner is not null and owner is not same origin with leadingBidInfo’s highest scoring other bid owner, then set leadingBidInfo’s highest scoring other bid owner to null.
-
The Ad-Auction-Allowed HTTP response header is a structured header whose value must be a boolean.
-
If responseBody is null or failure, return false.
-
If getting `
Ad-Auction-Allowed` and "item" from response’s header list does not return a true value, return false. -
Let headerMimeType be the result of extracting a MIME type from response’s header list.
-
Return false if any of the following conditions hold:
-
headerMimeType is failure;
-
mimeType is "
text/javascript" and headerMimeType is not a JavaScript MIME type; -
mimeType is "
application/json" and headerMimeType is not a JSON MIME type.
-
-
Let mimeTypeCharset be headerMimeType’s parameters["
charset"]. -
Return false if any of the following conditions hold:
-
mimeTypeCharset does not exist, or mimeTypeCharset is "utf-8", and responseBody is not UTF-8 encoded;
-
mimeTypeCharset is "us-ascii", and not all bytes in responseBody are ASCII bytes.
-
-
Return true.
-
Let request be a new request with the following properties:
- URL
-
url
- header list
-
«
Accept:text/javascript» - client
-
null - mode
-
"
no-cors" - referrer
-
"
no-referrer" - credentials mode
-
"
omit" - redirect mode
-
"
error"
One of the side-effects of a
nullclient for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.Stop using "
no-cors" mode where possible (WICG/turtledove#667). -
Let script be null.
-
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
-
If validate fetching response with response, responseBody and "
text/javascript" returns false, set script to failure and return. -
Set script to responseBody.
-
-
Wait for script to be set.
-
Return script.
-
Let request be a new request with the following properties:
- URL
-
url
- header list
-
«
Accept:application/wasm» - client
-
null - mode
-
"
no-cors" - referrer
-
"
no-referrer" - credentials mode
-
"
omit" - redirect mode
-
"
error"
One of the side-effects of a
nullclient for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.Stop using "
no-cors" mode where possible (WICG/turtledove#667). -
Let moduleObject be null.
-
Fetch request with processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
-
Set moduleObject to failure and return, if any of the following conditions hold:
-
responseBody is null or failure;
-
Getting `
Ad-Auction-Allowed` and "item" from response’s header list does not return a true value.
-
-
Let module be the result of compiling a WebAssembly module response.
-
If module is error, set moduleObject to failure.
-
Otherwise, set moduleObject to module.
-
-
Wait for moduleObject to be set.
-
Return moduleObject.
The Data-Version HTTP response header is a structured header whose value must be an integer.
The X-fledge-bidding-signals-format-version HTTP response header
is a structured header whose value must be an integer.
-
Let request be a new request with the following properties:
- URL
-
url
- header list
-
«
Accept:application/json» - client
-
null - mode
-
"
no-cors" - referrer
-
"
no-referrer" - credentials mode
-
"
omit" - redirect mode
-
"
error"
One of the side-effects of a
nullclient for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.Stop using "
no-cors" mode where possible (WICG/turtledove#667). -
Let signals be null.
-
Let dataVersion be null.
-
Let formatVersion be null.
-
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
-
If validate fetching response with response, responseBody and "
application/json" returns false, set signals to failure and return. -
Let headers be response’s header list.
-
Set dataVersion to the result of getting a structured field value given `
Data-Version` and "item" from headers. -
If dataVersion is not null:
-
If dataVersion is not an integer, or is less than 0 or more than 232−1, set signals to failure and return.
-
-
If isBiddingSignal is true, then set formatVersion to the result of getting a structured field value given `
X-fledge-bidding-signals-format-version` and "item" from headers. -
Set signals to the result of parsing JSON bytes to an Infra value responseBody.
-
-
Wait for signals to be set.
-
If signals is a parsing exception, or if signals is not an ordered map, return « null, null ».
-
For each key → value of signals:
-
Set signals[key] to the result of serializing an Infra value to a JSON string given value.
-
-
If formatVersion is 2:
-
If signals["
keys"] does not exist, return « null, null ». -
Set signals to signals["
keys"]. -
If signals is not an ordered map, return « null, null ».
-
TODO: handle priority vector.
-
-
Return « signals, dataVersion ».
To encode trusted signals keys given an ordered set of strings keys:
-
Let list be a new empty list.
-
Let keysStr be the result of concatenating keys with separator set to ",".
-
Append the result of UTF-8 percent-encoding keysStr using component percent-encode set to list.
The Chrome implementation encodes 0x20 (SP) to U+002B (+), while UTF-8 percent-encoding encodes it to "%20".
-
Return list.
To convert an ad size to a string given an ad size adSize.
-
Let sizeList be an empty list.
-
Let jsWidth be adSize’s width, converted to an ECMAScript value.
-
Append adSize’s width units to sizeList.
-
Append "," to sizeList.
-
Let jsHeight be adSize’s height, converted to an ECMAScript value.
-
Append adSize’s height units to sizeList.
-
Return the result of concatenating sizeList.
To calculate the ad slot size query param given an interest group ig and auction config config:
-
Switch on ig’s trusted bidding signals slot size mode:
- "
none" -
-
Return "".
-
- "
slot-size" -
-
If config’s requested size is null, then return "".
-
Otherwise:
-
Let adSizeString the result of running convert an ad size to a string on config’s requested size.
-
Return the result of concatenating « "&slotSize=", adSizeString ».
-
-
- "
all-slots-requested-sizes" -
-
If config’s all slots requested sizes is null, then return "".
-
For each adSize in config’s all slots requested sizes:
-
Let adSizeString the result of running convert an ad size to a string on adSize.
-
Append adSizeString to allSizesList.
-
-
Let allSizes be the result of concatenating allSizesList, with "," as a separator.
-
Return the result of concatenating « "&allSlotsRequestedSizes=", allSizes ».
-
- "
To build trusted bidding signals url given a URL signalsUrl, an ordered set of strings keys, an ordered set of strings igNames, an unsigned short-or-null experimentGroupId, an origin topLevelOrigin, and a string slotSizeQueryParam:
-
Let queryParamsList be a new empty list.
Note: These steps create a query of the form "
&<name>=<values in comma-delimited list>". E.g., "hostname=publisher1.com&keys=key1,key2&interestGroupNames=ad+platform,name2&experimentGroupId=1234".
These steps don’t use the application/x-www-form-urlencoded serializer to construct the query string because it repeats a key if it has multiple values instead of a comma-demilited list (e.g., "keys=key1&keys=key2", instead of "keys=key1,key2"), and it also uses a different percent encode set from the Chrome implementation. -
Append "hostname=" to queryParamsList.
-
Append the result of UTF-8 percent-encoding the serialized topLevelOrigin using component percent-encode set to queryParamsList.
-
If keys is not empty:
-
Append "
&keys=" to queryParamsList. -
Extend queryParamsList with the result of encode trusted signals keys with keys.
-
-
If igNames is not empty:
-
Append "
&interestGroupNames=" to queryParamsList. -
Extend queryParamsList with the result of encode trusted signals keys with igNames.
-
-
If experimentGroupId is not null:
-
Append "
&experimentGroupId=" to queryParamsList. -
Append serialized experimentGroupId to queryParamsList.
-
-
Append slotSizeQueryParam to queryParamsList.
-
Let fullSignalsUrl be signalsUrl.
-
Set fullSignalsUrl’s query to the result of concatenating queryParamsList.
-
return fullSignalsUrl.
To build trusted scoring signals url given a URL signalsUrl, a list of strings renderURLs, an ordered set of strings adComponentRenderURLs, an unsigned short experimentGroupId, and an origin topLevelOrigin:
Note: When trusted scoring signals fetches are not batched, renderURLs’s size is 1.
-
Let queryParamsList be a new empty list.
-
Append "hostname=" to queryParamsList.
-
Append the result of UTF-8 percent-encoding topLevelOrigin using component percent-encode set to queryParamsList.
-
If renderURLs is not empty:
-
Append "
&renderURLs=" to queryParamsList. -
Extend queryParamsList with the result of encode trusted signals keys with renderURLs.
-
-
If adComponentRenderURLs is not empty:
-
Append "
&adComponentRenderURLs=" to queryParamsList. -
Extend queryParamsList with the result of encode trusted signals keys with adComponentRenderURLs.
-
-
If experimentGroupId is not null:
-
Append "
&experimentGroupId=" to queryParamsList. -
Append serialized experimentGroupId to queryParamsList.
-
-
Set signalsUrl’s query to the result of concatenating queryParamsList.
-
return signalsUrl.
-
Let request be a new request with the following properties:
- URL
-
url
- client
-
null - mode
-
"
no-cors" - referrer
-
"
no-referrer" - credentials mode
-
"
omit" - redirect mode
-
"
error"
Stop using "
no-cors" mode where possible (WICG/turtledove#667). -
Fetch request with useParallelQueue set to true.
-
If adSlot is not a string, then return null.
-
Let directFromSellerSignals be null.
-
Let directFromSellerSignalsKey be a new direct from seller signals key with its seller set to seller, and ad slot set to adSlot.
-
If capturedAuctionHeaders[directFromSellerSignalsKey] exists:
-
Set directFromSellerSignals to capturedAuctionHeaders[directFromSellerSignalsKey].
-
-
Return directFromSellerSignals.
-
Let directFromSellerSignalsForSeller be a new
DirectFromSellerSignalsForSeller. -
If directFromSellerSignals is null, then return directFromSellerSignalsForSeller.
-
Set directFromSellerSignalsForSeller["auctionSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s auction signals.
-
Set directFromSellerSignalsForSeller["sellerSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s seller signals.
-
Return directFromSellerSignalsForSeller.
-
Let directFromSellerSignalsForBuyer be a new
DirectFromSellerSignalsForBuyer. -
If directFromSellerSignals is null, then return directFromSellerSignalsForBuyer.
-
Set directFromSellerSignalsForBuyer["auctionSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s auction signals.
-
If directFromSellerSignals’s per buyer signals[owner] exists:
-
Set directFromSellerSignalsForBuyer["perBuyerSignals"] to the result of running parse a JSON string to an Infra value given directFromSellerSignals’s per buyer signals[owner].
-
-
Return directFromSellerSignalsForBuyer.
-
Let config be leadingBidInfo’s auction config.
-
Let bidCurrency be null.
-
If winningComponentConfig is not null:
-
Assert that leadingBidInfo’s component seller is not null.
-
Set bidCurrency to winningComponentConfig’s seller currency.
-
If bidCurrency is null, then set bidCurrency to the result of looking up per-buyer currency with config and leadingBidInfo’s component seller.
-
-
Otherwise, set bidCurrency to the result of looking up per-buyer currency with config and leadingBidInfo’s leading bid's interest group's owner.
-
Let winner be leadingBidInfo’s leading bid.
-
Let sellerCurrency be leadingBidInfo’s auction config's seller currency.
-
Let highestScoringOtherBid be leadingBidInfo’s highest scoring other bid's bid in seller currency (or 0 if encountered a null).
-
If sellerCurrency is null, then set highestScoringOtherBid to leadingBidInfo’s highest scoring other bid's bid's value (or 0 if encountered a null).
-
Let modifiedBid be null.
-
If winner’s modified bid is not null:
-
If leadingBidInfo’s component seller is not null, then set bid to winner’s modified bid.
-
Otherwise, set modifiedBid to winner’s modified bid.
-
-
Let browserSignals be a
ReportResultBrowserSignalswith the following fields:topWindowHostname- The result of running the host serializer on global’s top-level origin's host.
interestGroupOwner- Serialized winner’s interest group's owner.
renderURL- Serialized winner’s ad descriptor's url
bid- Stochastically rounded bid
bidCurrency- The result of serializing a currency tag with bidCurrency
highestScoringOtherBid- highestScoringOtherBid
highestScoringOtherBidCurrency- sellerCurrency if it is not null, "
???" otherwise topLevelSeller- leadingBidInfo’s top level seller if it is not null,
undefinedotherwise componentSeller- leadingBidInfo’s component seller if it is not null,
undefinedotherwise desirability- Stochastically rounded leadingBidInfo’s top score
topLevelSellerSignals- leadingBidInfo’s top level seller signals if it is not null,
undefinedotherwise modifiedBid- Stochastically rounded modifiedBid if it is not null,
undefinedotherwise dataVersion- leadingBidInfo’s scoring data version if it is not null,
undefinedotherwise
-
Let igAd be the interest group ad from winner’s interest group's ads whose render url is winner’s ad descriptor's url.
-
If igAd’s buyer and seller reporting ID exists and the result of query reporting ID k-anonymity count given winner’s interest group and igAd is true, then set browserSignals["
buyerAndSellerReportingId"] to igAd’s buyer and seller reporting ID. -
Let sellerReportingScript be the result of fetching script with config’s decision logic url.
-
Let « sellerSignals, reportUrl, reportingBeaconMap, ignored » be the result of evaluating a reporting script with sellerReportingScript, "
reportResult", config’s config idl'sreportingTimeout, and « config’s config idl, browserSignals, directFromSellerSignals ». -
Let reportingResult be a reporting result with the following items:
- report url
-
reportUrl
- reporting beacon map
-
reportingBeaconMap
-
If leadingBidInfo’s top level seller is null (i.e., if we are reporting for a component seller), set leadingBidInfo’s component seller reporting result to reportingResult.
-
Otherwise, set leadingBidInfo’s seller reporting result to reportingResult.
-
Remove browserSignals["
desirability"]. -
Remove browserSignals["
modifiedBid"]. -
Remove browserSignals["
topLevelSellerSignals"]. -
Remove browserSignals["
dataVersion"].Note: Remove fields specific to
ReportResultBrowserSignalswhich only sellers can learn about, so that they are not passed to "reportWin()". -
Return « sellerSignals, browserSignals ».
ReportingBrowserSignals browserSignals, and a direct from seller signals-or-null directFromSellerSignals:
-
Let config be leadingBidInfo’s auction config.
-
Let winner be leadingBidInfo’s leading bid.
-
Let perBuyerSignals be config’s per buyer signals.
-
Let buyer be winner’s interest group's owner.
-
Let perBuyerSignalsForBuyer be perBuyerSignals[buyer] if that member exists, and null otherwise.
-
Let reportWinBrowserSignals be a
ReportWinBrowserSignalswith the members that are declared onReportingBrowserSignalsinitialized to their values in browserSignals. -
Add the following fields to reportWinBrowserSignals:
dataVersion- leadingBidInfo’s bidding data version if it is not null,
undefinedotherwise. adCost- Rounded winner’s ad cost
seller- Serialized config’s seller
madeHighestScoringOtherBid- Set to true if leadingBidInfo’s highest scoring other bid owner is not null, and buyer is same origin with leadingBidInfo’s highest scoring other bid owner, false otherwise
modelingSignals- winner’s modeling signals if it is not null,
undefinedotherwise (TODO: noise and bucket this signal)
-
Let igAd be the interest group ad from winner’s interest group's ads whose render url is winner’s ad descriptor's url.
-
If igAd’s buyer and seller reporting ID does not exist and the result of query reporting ID k-anonymity count given winner’s interest group and igAd is true:
-
If igAd’s buyer reporting ID exists, set reportWinBrowserSignals["
buyerReportingId"] to igAd’s buyer reporting ID. -
Otherwise, Set reportWinBrowserSignals["
interestGroupName"] to winner’s interest group name.
-
-
Let buyerReportingScript be the result of fetching script with winner’s interest group's bidding url.
-
Let reportFunctionName be "
reportWin". -
If winner’s provided as additional bid is true:
-
Set reportFunctionName be "
reportAdditionalBidWin".
-
-
Let « ignored, resultUrl, reportingBeaconMap, reportingMacroMap » be the result of evaluating a reporting script with buyerReportingScript, "
reportWin", leadingBidInfo’s auction config's config idl'sreportingTimeout, and « leadingBidInfo’s auction config's config idl'sauctionSignals, perBuyerSignalsForBuyer, sellerSignals, reportWinBrowserSignals, directFromSellerSignals ». -
Set leadingBidInfo’s buyer reporting result to a reporting result with the following items:
- report url
-
resultUrl
- reporting beacon map
-
reportingBeaconMap
- reporting macro map
-
reportingMacroMap
5. Reporting
5.1. forDebuggingOnly
This first introductory paragraph is non-normative.
"generateBid()" and "scoreAd()" can call forDebuggingOnly's reportAdAuctionWin(url) and reportAdAuctionLoss(url) methods for event-level forDebuggingOnly reports for winning and losing bids.
Note: While the browser is experimenting with third party cookie deprecation (before they have
been fully removed), the forDebuggingOnly reporting APIs supply temporary labels indicating when a particular instance would have been
downsampled instead of using the following steps to downsample it.
-
If reportUrl is null, or the result of running is debugging only in cooldown or lockout with invokingOrigin is true, then return.
-
If the result of running sample a debug report with invokingOrigin is true, then append reportUrl to debugReportUrls.
-
Let auctionReportInfo be a new auction report info.
-
Let winningBid be winnerInfo’s leading bid if winnerInfo is not null, null otherwise.
-
For each bidDebugReportInfo of bidDebugReportInfoList:
-
If winningBid is not null and bidDebugReportInfo’s id is winningBid’s id:
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s bidder debug win report url, bidDebugReportInfo’s interest group owner, and auctionReportInfo’s debug win report urls.
-
If bidDebugReportInfo’s component seller is null:
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug win report url, seller, and auctionReportInfo’s debug win report urls.
-
-
Otherwise:
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug win report url, bidDebugReportInfo’s component seller, auctionReportInfo’s debug win report urls.
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s top level seller debug win report url, seller, and auctionReportInfo’s debug win report urls.
-
-
Otherwise:
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s bidder debug loss report url, bidDebugReportInfo’s interest group owner, and auctionReportInfo’s debug loss report urls.
-
If bidDebugReportInfo’s component seller is null:
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug loss report url, seller, and auctionReportInfo’s debug loss report urls.
-
-
Otherwise:
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s seller debug loss report url, bidDebugReportInfo’s component seller, auctionReportInfo’s debug loss report urls.
-
Collect a single forDebuggingOnly report with bidDebugReportInfo’s top level seller debug loss report url, seller, and auctionReportInfo’s debug loss report urls.
-
-
-
-
Return auctionReportInfo.
-
If generatedBid is not null:
-
Append bidDebugReportInfo to bidDebugReportInfoList.
Instead of inserting to bidDebugReportInfoList in each component auction that runs in parallel, create a structure InterestGroupAuction that holds data for each auction separately (WICG/turtledove#1021).
5.1.1. Downsampling
This first introductory paragraph is non-normative.
Implementations may define their own values for the below constants based on their privacy goal, however we supply the below values as a starting point, inspired by what the initial implementation of this specification uses:
-
sampling rate is 1/1000, which means only sending reports 1/1000 times the
forDebuggingOnlyAPI is called. -
lockout period is 3 years.
-
long cooldown rate is 1/10, which means 10% of the time putting an adtech in a long cooldown period if the adtech calls the API.
-
long cooldown period is 1 year.
-
short cooldown period is 2 weeks.
Note: More details of how these numbers are determined can be found in comments here: (WICG/turtledove#632).
The design of downsampling forDebuggingOnly reports has three main goals:
-
Prevent sending debug reports very often to protect user privacy:
-
Only sending debug reports sampling rate times the forDebuggingOnly API is called;
-
if a report is sent, "lock-out" all adtechs out of sending a report for lockout period;
-
if an adtech calls the API, put them in a "cool-down" period where calls to the API by that given adtech are not able to send reports.
-
-
Prevent one adtech from substantially compromising a different adtech’s access to debugging information. The "cool-down" period means that any particular adtech can only cause a very small fraction of people to send debug reports and be removed from the potential debugging pool.
-
Prevent adtechs who accidentally (e.g. due to a bug in their code) call the API repeatedly for all users, from locking themselves out of sending any more reports for years. This is accomplished by only long cooldown rate of the time putting that adtech in a long cooldown period, and rest of the time putting that adtech in a short cooldown period.
The user agent has a debug report lockout until, which is null or a moment, and a debug report cooldown, which is null or a map whose keys are origins and values are moments at which the cool down for the origin key expires.
-
If user agent's debug report lockout until is not null, and current wall time is less than user agent's debug report lockout until, return true.
-
If user agent's debug report cooldown is null, then return false.
-
If user agent's debug report cooldown[origin] exists and current wall time is less than user agent's debug report cooldown[origin], then return true.
-
Return false.
-
Let canSendAfterSampled be false.
-
Let sampleRand be a random
long, 0 ≤ sampleRand < 1000, so each possible long would be chosen with a probability equal to sampling rate. -
If sampleRand is 0:
-
Set canSendAfterSampled to true.
-
Set user agent's debug report lockout until to current wall time plus lockout period.
-
-
Let cooldownRand be a random
long≥ 0 and < 10, which corresponds to -
Let cooldownPeriod be long cooldown period if cooldownRand is 0, short cooldown period otherwise.
-
Set user agent's debug report cooldown[origin] to current wall time plus cooldownPeriod.
-
Return canSendAfterSampled.
6. Additional Bids and Negative Targeting
6.1. createAuctionNonce()
This first introductory paragraph is non-normative.
navigator.createAuctionNonce() creates an auction nonce, a
one-time version 4 UUID uniquely associated with a single call to navigator.runAdAuction(). For multi-seller auctions, this ID is uniquely
associated with all componentAuctions. This nonce will need to be passed back in
via a subsequent call to navigator.runAdAuction() via the AuctionAdConfig. This is currently only needed for auctions that use additional bids,
for which the auction nonce will be included in each additional bid as a way of ensuring
that those bids are only used in the auctions for which they were intended.
[SecureContext ]partial interface Navigator {Promise <DOMString >createAuctionNonce (); };
createAuctionNonce() method steps are:
-
Let p be a new promise.
-
Run the following steps in parallel:
-
Let nonce be the string representation of a version 4 UUID.
Because we’re going in parallel:-
There is no guarantee that the promise will be resolved before other tasks get queued on the main thread;
-
...which gives browsers the freedom to generate this UUID in another process, and asynchronously send it back to the main thread at an arbitrary future time.
-
Queue a global task on DOM manipulation task source, given this's relevant global object, to resolve p with nonce.
-
-
Return p.
6.2. Additional Bids
This first introductory paragraph is non-normative.
In addition to bids generated by interest groups, sellers can enable buyers to introduce bids generated outside of the auction, which are called additional bids. Additional bids are commonly triggered using contextual signals. Buyers compute the additional bids, likely as part of a contextual auction. Buyers need to package up each additional bid using a new data structure that encapsulates all of the information needed for the additional bid to compete against other bids in a Protected Audience auction.
Each additional bid is expressed using the following JSON data structure:
const additionalBid= { "bid" : { "ad" : 'ad-metadata' , "adCost" : 2.99 , "bid" : 1.99 , "bidCurrency" : "USD" , "render" : "https://www.example-dsp.com/ad/123.jpg" , "adComponents" : [ adComponent1, adComponent2], "allowComponentAuction" : true , "modelingSignals" : 123 , }, "interestGroup" : { "owner" : "https://www.example-dsp.com" "name" : "campaign123" , "biddingLogicURL" : "https://www.example-dsp.com/bid_logic.js" }, "negativeInterestGroups" : { joiningOrigin: "https://www.example-advertiser.com" , interestGroupNames: [ "example_advertiser_negative_interest_group_a" , "example_advertiser_negative_interest_group_b" , ] }, "auctionNonce" : "12345678-90ab-cdef-fedcba09876543210" , "seller" : "https://www.example-ssp.com" , "topLevelSeller" : "https://www.another-ssp.com" }
-
Assert that these steps are running in parallel.
-
Assert that auctionConfig’s auction nonce is not null.
-
Let auctionNonce be the string representation of auctionConfig’s auction nonce.
-
Let capturedAdditionalBidsHeaders be global’s associated Document’s node navigable’s traversable navigable’s captured additional bids headers.
-
Let additionalBids be a new list of decoded additional bids.
-
For each encodedSignedAdditionalBid of capturedAdditionalBidsHeaders[auctionNonce]:
-
Let signedAdditionalBid be the result of running forgiving-base64 decode with encodedSignedAdditionalBid.
-
If signedAdditionalBid is failure, then continue.
-
Let additionalBid be the result of running parse a signed additional bid given signedAdditionalBid, auctionConfig, topLevelAuctionConfig, and negativeTargetInfo.
-
If additionalBid is not null, then append additionalBid to additionalBids.
-
-
Return additionalBids.
-
Assert that these steps are running in parallel.
-
Let parsedSignedAdditionalBid be the result of running parse a JSON string to an infra value given signedAdditionalBid.
-
Return null if any of the following conditions hold:
-
Let signatures be a new list of signed additional bid signatures.
-
Let decodeSignatureFailed be false.
-
For each sig of parsedSignedAdditionalBid["signatures"]:
-
Set decodeSignatureFailed to true and break if any of the following conditions hold:
-
Let maybeKey be the result of running forgiving-base64 decode with sig["key"].
-
Let maybeSignature be the result of running forgiving-base64 decode with sig["signature"].
-
Set decodeSignatureFailed to true and break if any of the following conditions hold:
-
Let signature be a signed additional bid signatures, whose key is maybeKey, and signature is maybeSignature.
-
Append signature to signatures.
-
-
If decodeSignatureFailed is true, then return null.
-
Let decodedAdditionalBid be the result of decode an additional bid json given parsedSignedAdditionalBid["bid"], auctionConfig and topLevelAuctionConfig.
-
Return null if any of the following conditions hold:
-
decodedAdditionalBid is failure;
-
The result of checking a currency tag with decodedAdditionalBid’s bid's bid's currency and the result of running look up per-buyer currency with auctionConfig.
-
-
Let verifiedSignatureKeys be a new set of byte sequences.
-
For each signature of signatures:
-
If the result of checking whether negative targeted given decodedAdditionalBid, verifiedSignatureKeys and negativeTargetInfo is true, then return null.
-
Return decodedAdditionalBid.
-
Assert that these steps are running in parallel.
-
Let parsedAdditionalBid be the result of parse a JSON string to an infra value given additionalBidJson.
-
If parsedAdditionalBid is not a map, then return failure.
-
Let result be a new decoded additional bid.
-
Return failure if any of the following conditions hold:
-
parsedAdditionalBid["auctionNonce"] does not exist;
-
parsedAdditionalBid["auctionNonce"] is not the string representation of auctionConfig’s auction nonce;
-
parsedAdditionalBid["seller"] does not exist;
-
The result of running the parse an https origin with parsedAdditionalBid["seller"] is failure, or not same origin with auctionConfig’s seller.
-
-
If topLevelAuctionConfig is null:
-
If parsedAdditionalBid["topLevelSeller"] exists, then return failure.
-
-
Otherwise:
-
If parsedAdditionalBid["topLevelSeller"] does not exist, then return failure.
-
Let bidTopLevelSeller be the result of running the parse an https origin with parsedAdditionalBid["topLevelSeller"].
-
If bidTopLevelSeller is failure, or bidTopLevelSeller is not same origin with topLevelAuctionConfig’s seller, then return failure.
-
-
If parsedAdditionalBid["interestGroup"] does not exist, then return failure.
-
Let igMap be parsedAdditionalBid["interestGroup"].
-
Return failure if any the following conditions hold:
-
Let igOwner be the result of running parse an https origin given igMap["owner"].
-
Let igName be igMap["name"].
-
Let igBiddingUrl be the result of running url parser on igMap["biddingLogicURL"].
-
Return failure if any of the following conditions hold:
-
igOwner is failure;
-
auctionConfig’s interest group buyers does not contain igOwner;
-
igBiddingUrl is failure;
-
igOwner is not same origin with igBiddingUrl.
-
-
Let ig be a new interest group with the following properties:
- owner
-
igOwner
- name
-
igName
- bidding url
-
igBiddingUrl
-
If parsedAdditionalBid["bid"] does not exist, or is not a map, return failure.
-
Let bidMap be parsedAdditionalBid["bid"].
-
If bidMap["render"] does not exist or is not a string, then return failure.
-
Let renderUrl be the result of running URL parser on bidMap["render"].
-
If renderUrl is failure, then return failure.
-
Let ad be a new interest group ad whose render url is renderUrl.
-
Set ig’s ads to « ad ».
-
Let bidVal be bidMap["bid"] if it exists, otherwise return failure.
-
If bidVal is not a
double, or is less than or equal to 0, then return failure. -
Let adMetadata be "null".
-
If bidMap["ad"] exists:
-
Set adMetadata to the result of running serialize an Infra value to a JSON string with bidMap["ad"].
-
-
Let bidCurrency be null.
-
If bidMap["bidCurrency"] exists:
-
If bidMap["bidCurrency"] is not a string, or the result of checking whether a string is a valid currency tag is failure, then return failure.
-
Set bidCurrency to bidMap["bidCurrency"].
-
-
Let adCost be null.
-
If bidMap["adCost"] exists:
-
If bidMap["adCost"] is not a
double, then return failure. -
Set adCost to bidMap["adCost"].
-
-
Let modelingSignals be null.
-
If bidMap["modelingSignals"] exists:
-
If bidMap["modelingSignals"] is not a
double, then return failure. -
If bidMap["modelingSignals"] ≥ 0, and < 4096, then set modelingSignals to bidMap["modelingSignals"].
-
-
Let adComponents be a new list of ad descriptors.
-
If bidMap["adComponents"] exists:
-
If bidMap["adComponents"] is not a list, then return failure.
-
For each component of bidMap["adComponents"]:
-
If component is not a string, then return failure.
-
Let componentUrl be the result of running URL parser on component.
-
If componentUrl is failure, then return failure.
-
Let componentDescriptor be a new ad descriptor whose url is componentUrl.
-
Append componentDescriptor to adComponents.
-
-
Set ig’s ad components to adComponents.
-
-
If parsedAdditionalBid["negativeInterestGroup"] exists:
-
If parsedAdditionalBid["negativeInterestGroups"] exists, or parsedAdditionalBid["negativeInterestGroup"] is not a string, then return failure.
-
Append parsedAdditionalBid["negativeInterestGroup"] to result’s negative target interest group names.
-
-
If parsedAdditionalBid["negativeInterestGroups"] exists:
-
Let multipleNegativeIg be parsedAdditionalBid["negativeInterestGroups"].
-
Return failure if any of the following conditions hold:
-
Let joiningOrigin be the result of running parse an https origin with multipleNegativeIg["joiningOrigin"].
-
If joiningOrigin is failure, then return failure.
-
Set result’s negative target joining origin to joiningOrigin.
-
For each igName of multipleNegativeIg["interestGroupNames"]:
-
If igName is not a string, then return failure.
-
Append igName to result’s negative target interest group names.
-
-
-
Set result’s bid to a new generated bid with the following properties:
- bid
-
A bid with currency whose value is bidVal, and currency is bidCurrency
- ad
-
adMetadata
- ad descriptor
-
An ad descriptor whose url is renderUrl
- ad component descriptors
-
adComponents
- ad cost
-
adCost
- modeling signals
-
modelingSignals
- interest group
-
ig
- bid ad
-
A interest group ad whose render url is renderUrl, and metadata is adMetadata
- provided as additional bid
-
true
-
Return result.
A signed additional bid signature is a struct with the following items:
- key
-
A byte sequence of length 32.
- signature
-
A byte sequence of length 64.
A decoded additional bid is a struct with the following items:
- bid
-
A generated bid. Fields analogous to those returned by
generateBid(). - negative target interest group names
- negative target joining origin
-
Null or an origin. Required if there is more than one entry in negative target interest group names.
Each traversable navigable has a captured additional bids headers, which is a map whose keys are strings for auction nonces, and whose values are list of strings for encoded additional bids.
6.3. Negative Targeting
This first introductory paragraph is non-normative.
In online ad auctions for ad space, it’s sometimes useful to prevent showing an ad to certain
audiences, a concept known as negative targeting. To facilitate negative targeting in
Protected Audience auctions, each additional bid is allowed to identify one or more negative interest groups. If the user has been joined to any of the identified negative interest groups, the additional bid is dropped; otherwise it participates in the auction, competing alongside bids created by calls to generateBid(). An additional bid that specifies no negative interest groups is always accepted into the auction.
-
Assert that these steps are running in parallel.
-
Let negativeTargeted be false.
-
Let additionalBidBuyer be additionalBid’s bid's interest group's owner.
-
For each igName of additionalBid’s negative target interest group names:
-
If negativeTargetInfo[(additionalBidBuyer, igName)] exists:
-
Let (joiningOrigin, additionalBidKey) be negativeTargetInfo[(additionalBidBuyer, igName)].
-
If verifiedSignatureKeys contains additionalBidKey:
-
If joiningOrigin is not null:
-
If joiningOrigin is not same origin with additionalBid’s negative target joining origin, then continue.
-
-
Set negativeTargeted to true, and break.
-
-
-
Note: If the signature doesn’t verify successfully, the additional bid proceeds as if the negative interest group is not present. This ensures that only the owner of the negative interest group, who created the additionalBidKey, is allowed to negatively target the interest group, and that nobody else can learn
whether the interest group set contains the interest group.
-
Return negativeTargeted.
A negative target info is a map. Its keys are tuples consisting of an origin for owner and a string for name. Its values are tuples consisting of an origin for joining origin and a byte sequence for additional bid key.
6.3.1. Negative Interest Groups
This section is non-normative.
Though negative interest groups are joined using the same joinAdInterestGroup() API as regular interest groups, they remain distinct from one another. Only negative interest groups's additional bid key can be non-null, while only regular interest groups's ads can be non-null. Because the subset of fields
used by a negative interest group cannot be meaningfully updated, a negative interest group's update url must be null, otherwise a TypeError will be thrown by joinAdInterestGroup() API.
Additional bids specify the negative interest groups they’re negatively targeting against using at most one of the following two fields in their JSON data structure:
-
negativeInterestGroup, for a single negative interest group;
-
negativeInterestGroups, for more than one negative interest groups.
If an additional bid needs to specify more than one negative interest groups, all of those negative interest groups must be joined from the same origin, and that origin must be
identified ahead of time in the additional bid's joiningOrigin field. Any negative interest group that wasn’t joined from that identified origin is ignored for negative targeting.
Use negativeInterestGroup in additional bid’s JSON:
const additionalBid= { ... "negativeInterestGroup" : "example_advertiser_negative_interest_group" , ... }
Use negativeInterestGroups in additional bid’s JSON:
const additionalBid= { ... "negativeInterestGroups" : { joiningOrigin: "https://example-advertiser.com" , interestGroupNames: [ "example_advertiser_negative_interest_group_a" , "example_advertiser_negative_interest_group_b" , ] }, ... }
7. K-anonymity
Two goals of this specification rely on applying k-anonymity thresholds:
-
To prevent cross-site leaks: Inputs to event-level reporting functions,
reportWin()andreportResult(), only contain limited cross-site information. As described in § 15 Privacy Considerations, part of this limiting is done by applying k-anonymity requirements to the ad URLs. -
To ensure that the same ad or ad component is being shown to at least some minimum number of people: The browser applies k-anonymity requirements on the ad URLs.
The browser enforces these k-anonymity requirements by maintaining counts of how many times each ad and ad component has been shown to users. These counts are maintained across users, so the counting must be done on a central k-anonymity server. This specification relies on two operations to query and increment the counts: query k-anonymity count and increment k-anonymity count.
The details of how the k-anonymity server is operated and accessed are implementation-defined but it should be done in a way that prevents the server operator from joining the identity of two query or increment requests. One way to help prevent this is by making accesses to the server go through an HTTP proxy that prevents the server from seeing the browsers' IP addresses.
The browser should choose a k-anonymity threshold, otherwise known as the value for "k", and a k-anonymity duration depending on the projected sizes of interest groups and the browser’s privacy goals. For example an implementation might choose to require a k-anonymity threshold of fifty users over a seven day period. The server will maintain the count over the chosen duration and compare the count to the chosen k-anonymity threshold when responding to query k-anonymity count.
-
If the k-anonymity server has recorded at least k-anonymity threshold users seeing hashCode over the last k-anonymity duration, return true. Otherwise return false.
-
Return true if it is above the threshold, otherwise return false.
-
Let keyString be the concatenation of the following strings separated with U+000A LF:
-
"AdBid"
-
the serialization of ig’s owner
-
the serialization of ig’s bidding url
-
the serialization of ad.
-
-
Let keyHash be the SHA-256 hash of the ASCII encoding of keyString.
-
Return the result of querying the k-anonymity count given keyHash.
-
Let keyString be the concatenation of the following strings separated with U+000A (LF):
-
"NameReport"
-
the serialization of ig’s owner
-
the serialization of ig’s bidding url
-
the serialization of igAd’s render url
-
If igAd’s buyer and seller reporting ID exists:
-
"BuyerAndSellerReportingId"
-
-
Otherwise, if igAd’s buyer reporting ID exists:
-
"BuyerReportingId"
-
igAd’s buyer reporting ID
-
-
Otherwise:
-
"IgName"
-
ig’s name.
-
-
-
Return the SHA-256 hash of the ASCII encoding of keyString.
-
Let keyString be the concatenation of the following strings separated with U+000A LF:
-
"ComponentBid"
-
the serialization of ad.
-
-
Let keyHash be the SHA-256 hash of the ASCII encoding of keyString.
-
Return the result of querying the k-anonymity count given keyHash.
-
If query ad k-anonymity count given bid’s ad descriptor's url returns false, return false.
-
If bid’s ad component descriptors is not null:
-
For each adComponentDescriptor in bid’s ad component descriptors:
-
If query component ad k-anonymity count given adComponentDescriptor’s url returns false, return false.
-
-
-
Return true.
-
Let keyHash be the result of computing the key hash of reporting ID given ig and igAd.
-
Return the result of querying the k-anonymity count given keyHash.
-
Ask the k-anonymity server to record that this user agent has seen hashCode.
-
Let keyString be the concatenation of the following strings separated with U+000A LF:
-
"AdBid"
-
the serialization of ig’s owner
-
the serialization of ig’s bidding url
-
the serialization of ad.
-
-
Let keyHash be the SHA-256 hash of the ASCII encoding of keyString.
-
Increment k-anonymity count given keyHash.
-
Let keyString be the concatenation of the following strings separated with U+000A LF:
-
"ComponentBid"
-
the serialization of ad.
-
-
Let keyHash be the SHA-256 hash of the ASCII encoding of keyString.
-
Increment k-anonymity count given keyHash.
-
Let igAd be the interest group ad from ig’s ads whose render url is ad.
-
Let keyHash be the result of computing the key hash of reporting ID given ig and igAd.
-
Increment k-anonymity count given keyHash.
-
Increment ad k-anonymity count given winner’s interest group and winner’s ad descriptor's url.
-
If winner’s ad component descriptors is not null:
-
For each adComponentDescriptor in winner’s ad component descriptors:
-
Increment component ad k-anonymity count given adComponentDescriptor’s url.
-
-
-
Increment reporting ID k-anonymity count given winner’s interest group and winner’s ad descriptor's url.
8. Script Runners
This introduction sub-section is non-normative.
This specification defines a new type of script execution environment called a script runner. On the surface, these are similar to Worklets in that they too are used for running scripts independent of the main execution environment with a flexible implementation model.
However, some key differences from traditional Worklets motivate us to create a new kind of script execution environment. In particular, they:
-
Are not scoped to a particular
Document, but are rather scoped to a user agent, as they are spun up by interest groups in the user agent's interest group set. -
Consequently have a different, more flexible agent cluster allocation model —specifically, they need not execute in the same agent cluster as any
Document, and for privacy reasons implementations may be motivated to enjoy this flexibility. -
Do not have any other WebIDL interfaces exposed to their global besides the ones defined in this specification, unlike other Worklet types.
-
Have a restricted set of ECMAScript APIs exposed to them; for example
Dateis not exposed in these environments. -
Are not module scripts, and are instead evaluated as if they were classic scripts.
-
Are not scripts in the [HTML] sense, and as such:
-
Their agent does not have an event loop
-
Their realm does not have a settings object, and therefore functions inside them are not run with the familiar [WebIDL] invocation mechanism.
-
They do not perform a microtask checkpoints.
-
8.1. Realm and agent
-
Let signifier be a new unique internal value.
-
Let candidateExecution be a new candidate execution.
-
Return a new agent whose [[CanBlock]] is false, [[Signifier]] is signifier, [[CandidateExecution]] is candidateExecution, and [[IsLockFree1]], [[IsLockFree2]], and [[LittleEndian]] are set at the implementation’s discretion.
Note: This algorithm is almost identical to [HTML]'s create an agent algorithm, with the exception that we do not give the returned agent a new event loop, since it does not process tasks within task sources in the usual way.
-
Let agentCluster be a new agent cluster.
-
Let agent be the result of creating a new script runner agent.
-
Add agent to agentCluster.
-
Return agent.
-
Assert that these steps are running in parallel.
-
Let agent be the result of obtaining a script runner agent given null, true, and false. Run the rest of these steps in agent.
This exclusively creates a new agent cluster for a given script to run in, but we should make this work with execution mode somehow.
-
Let realmExecutionContext be the result of creating a new realm given agent and the following customizations:
-
For the global object, create a new object of type globalType.
-
-
Let realm be realmExecutionContext’s Realm component.
-
Let global be realm’s global object, and run these steps:
-
Perform !global.[[Delete]]("
Date"). -
If !global.[[HasProperty]]("
Temporal") is true, then perform !global.[[Delete]]("Temporal").
This is not the best way to perform such API neutering (see tc39/ecma262#1357), but at the moment it’s the way that host environments do this.
Note: Removing time-referencing APIs from the global object is imperative for privacy, as a script might otherwise be able to more easily exfiltrate data by using more accurate time measurements.
-
-
Return realm.
8.2. Script evaluation
Concretely, a script runner is a JavaScript execution environment instantiated with one of the following global objects:
GenerateBidInterestGroup igGenerateBid, a string-or-null auctionSignals, a string-or-null perBuyerSignals, an ordered map trustedBiddingSignals,
a BiddingBrowserSignals browserSignals, a DirectFromSellerSignalsForBuyer directFromSellerSignalsForBuyer and an integer millisecond duration timeout:
-
Let realm be the result of creating a new script runner realm given
InterestGroupBiddingScriptRunnerGlobalScope. -
Let global be realm’s global object.
-
Let settings be realm’s settings object.
WICG/turtledove#676 needs to be fixed in order to get realm’s settings object.
-
Set global’s group has ad components to true if ig’s ad components is not null, or false otherwise.
-
Set global’s expected currency to expectedCurrency.
-
Let isComponentAuction be true if browserSignals["
topLevelSeller"] is not null, or false otherwise. -
Set global’s is component auction to isComponentAuction.
-
Set global’s interest group to ig.
-
Let igJS be the result of converting to ECMAScript values given igGenerateBid.
-
Let auctionSignalsJS be the result of parsing a JSON string to a JavaScript value given auctionSignals if auctionSignals is not null, otherwise
undefined. -
Let perBuyerSignalsJS be the result of parsing a JSON string to a JavaScript value given perBuyerSignals if perBuyerSignals is not null, otherwise
undefined. -
Let trustedBiddingSignalsJS be trustedBiddingSignals converted to ECMAScript values.
-
Let browserSignalsJS be browserSignals converted to ECMAScript values.
-
Let directFromSellerSignalsJs be directFromSellerSignalsForBuyer converted to ECMAScript values.
-
Let startTime be settings’s current monotonic time.
-
Let result be the result of evaluating a script with realm, script, "
generateBid", « igJS, auctionSignalsJS, perBuyerSignalsJS, trustedBiddingSignalsJS, browserSignalsJS, directFromSellerSignalsJs », and timeout. -
Let duration be settings’s current monotonic time minus startTime in milliseconds.
-
If global’s priority is not null and not failure:
-
Replace the interest group that has ig’s owner and name in the user agent's interest group set with ig.
-
If global’s priority signals is not empty:
-
For each k → v of global’s priority signals:
-
If v is null, remove ig’s priority signals overrides[k].
-
Otherwise, set ig’s priority signals overrides[k] to v.
-
-
Replace the interest group that has ig’s owner and name in the user agent's interest group set with ig.
-
-
Let generatedBid be global’s bid.
-
If result is a normal completion:
-
Let generatedBidIDL be the result of converting result’s [[Value]] to a
GenerateBidOutput. -
If no exception was thrown in the previous step:
-
Let bidOutput be the result of converting GenerateBidOutput to generated bid with generatedBidIDL, ig, expectedCurrency, isComponentAuction, and global’s group has ad components.
-
If bidOutput is not failure, then set generatedBid to bidOutput.
-
-
-
Let bidDebugReportInfo be a new bid debug reporting info.
-
Set bidDebugReportInfo’s interest group owner to ig’s owner
-
Let debugLossReportUrl be global’s debug loss report url if it’s not failure, null otherwise.
-
Set bidDebugReportInfo’s bidder debug loss report url to debugLossReportUrl.
-
If generatedBid is a generated bid and generatedBid’s bid's value ≤ 0, then set generatedBid to null.
-
If generatedBid is a generated bid:
-
Let debugWinReportUrl be global’s debug win report url if it’s not failure, null otherwise.
-
Set bidDebugReportInfo’s bidder debug win report url to debugWinReportUrl.
-
Set generatedBid’s bid duration to duration, interest group to ig.
-
-
Return « generatedBid, bidDebugReportInfo ».
double bidValue, an AuctionAdConfig auctionConfigIDL, an ordered map trustedScoringSignals, a ScoringBrowserSignals browserSignals, a DirectFromSellerSignalsForSeller directFromSellerSignalsForSeller, and an integer
millisecond duration timeout:
-
Let realm be the result of creating a new script runner realm given
InterestGroupScoringScriptRunnerGlobalScope. -
Let browserSignalsJS be browserSignals converted to ECMAScript values.
-
Let auctionConfigJS be auctionConfigIDL converted to ECMAScript values.
-
Let trustedScoringSignalsJS be trustedScoringSignals converted to ECMAScript values.
-
Let directFromSellerSignalsJs be directFromSellerSignalsForSeller converted to ECMAScript values.
-
Let scoreAdResult be the result of evaluating a script with realm, script, "
scoreAd", «adMetadata, bidValue, auctionConfigJS, trustedScoringSignalsJS, browserSignalsJS, directFromSellerSignalsJs», and timeout. -
Let debugWinReportUrl be global’s debug win report url if it’s not failure, null otherwise.
-
Let debugLossReportUrl be global’s debug loss report url if it’s not failure, null otherwise.
-
Return « scoreAdResult, debugWinReportUrl, debugLossReportUrl ».
-
Let realm be the result of creating a new script runner realm given
InterestGroupReportingScriptRunnerGlobalScope. -
Let global be realm’s global object.
-
Let argumentsJS be the result of converting arguments to an ECMAScript arguments list. If this throws an exception, return « "null", null, null, null ».
-
Let result be the result of evaluating a script with realm, script, functionName, argumentsJS, and timeout.
-
If result is an abrupt completion, return « "null", null, null, null ».
-
Let resultJSON be "null".
-
If functionName is "
reportResult", then set resultJSON to the result of serializing a JavaScript value to a JSON string given result.Note: Consider a return value that can’t be converted to JSON a valid result, so if an exception was thrown in the previous step, keep resultJSON as "null".
-
Let reportURL be global’s report url
-
If reportURL is failure, set reportURL to null.
-
Let macroMap be global’s reporting macro map if functionName is "
reportWin" or "reportAdditionalBidWin", null otherwise. -
Return « resultJSON, reportURL, global’s reporting beacon map, macroMap ».
-
Assert that these steps are running in parallel.
-
If timeout ≤ 0, immediately interrupt the execution and set finalCompletion to a new throw completion given null.
-
Let global be realm’s global object, and run these steps in realm’s agent:
-
Let result be ParseScript(script, realm,
empty).Note: The resulting Script Record will have no [[HostDefined]] component, unlike traditional scripts on the web platform.
-
If result is a list of errors, return Completion { [[Type]]:
throw, [[Value]]: result, [[Target]]:empty}. -
Assert: result is a Script Record.
-
Prepare to run script: Push realmExecutionContext onto the JavaScript execution context stack; it is now the running JavaScript execution context.
-
Let evaluationStatus be the result of ScriptEvaluation(result).
-
If evaluationStatus is an abrupt completion, jump to the step labeled return.
-
Let F be Get(global, functionName). If that returns a throw completion, set finalCompletion to F and jump to the step labeled return.
-
Set finalCompletion be Completion(Call(F,
undefined, arguments)).In timeout milliseconds, if the invocation of Call has not completed, immediately interrupt the execution and set finalCompletion to a new throw completion given null.
-
Return: at this point finalCompletion will be set to a Completion Record.
-
Clean up after script: Assert realmExecutionContext is the running JavaScript execution context, and remove it from the JavaScript execution context stack.
-
Return finalCompletion.
-
8.3. Global scopes
An additional requirement to the interest group script runner globals defined in this specification is that they must not expose any interfaces from other specifications whose own exposure set is the special value "*". The only interfaces that can be exposed inside of the globals defined in this specification are those that explicitly list the global names provided here.
[Exposed =InterestGroupScriptRunnerGlobalScope ]interface { };InterestGroupScriptRunnerGlobalScope
[Exposed =InterestGroupBiddingAndScoringScriptRunnerGlobalScope ]interface {ForDebuggingOnly undefined reportAdAuctionWin (USVString );url undefined reportAdAuctionLoss (USVString ); }; [url Exposed =InterestGroupBiddingAndScoringScriptRunnerGlobalScope ,Global =InterestGroupBiddingAndScoringScriptRunnerGlobalScope ]interface :InterestGroupBiddingAndScoringScriptRunnerGlobalScope InterestGroupScriptRunnerGlobalScope {readonly attribute ForDebuggingOnly forDebuggingOnly ; };
Each InterestGroupBiddingAndScoringScriptRunnerGlobalScope has an associated forDebuggingOnly, which is an ForDebuggingOnly instance created alongside the InterestGroupBiddingAndScoringScriptRunnerGlobalScope.
forDebuggingOnly getter steps are:
-
Return this's relevant global object's forDebuggingOnly.
Each InterestGroupBiddingAndScoringScriptRunnerGlobalScope has a
- debug win report url
-
Null, failure, or a URL whose scheme is "
https". Initially null. - debug loss report url
-
Null, failure, or a URL whose scheme is "
https". Initially null.
reportAdAuctionWin(url) method steps are:
-
Let global be this's relevant global object.
-
Let parsedUrl be the result of running the URL parser on url.
-
If parsedUrl is failure, or parsedUrl’s scheme is not "
https", then set global’s debug win report url to failure. -
Optionally, return.
Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the parsedUrl’s site not being enrolled.
-
Set global’s debug win report url to parsedUrl.
reportAdAuctionLoss(url) method steps are:
-
Let global be this's relevant global object.
-
Let parsedUrl be the result of running the URL parser on url.
-
If parsedUrl is failure, or parsedUrl’s scheme is not "
https", then set global’s debug loss report url to failure. -
Optionally, return.
Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the parsedUrl’s site not being enrolled.
-
Set global’s debug loss report url to parsedUrl.
8.3.1. InterestGroupBiddingScriptRunnerGlobalScope
[Exposed =InterestGroupBiddingScriptRunnerGlobalScope ,Global =(InterestGroupScriptRunnerGlobalScope ,InterestGroupBiddingScriptRunnerGlobalScope )]interface :InterestGroupBiddingScriptRunnerGlobalScope InterestGroupBiddingAndScoringScriptRunnerGlobalScope {boolean setBid (optional GenerateBidOutput = {});generateBidOutput undefined setPriority (double );priority undefined setPrioritySignalsOverride (DOMString ,key optional double ?); };priority dictionary {AdRender required DOMString ;url DOMString ;width DOMString ; };height dictionary {GenerateBidOutput double = -1;bid DOMString ; (bidCurrency DOMString or AdRender );render any ;ad sequence <(DOMString or AdRender )>;adComponents double ;adCost unrestricted double ;modelingSignals boolean =allowComponentAuction false ; };
Each InterestGroupBiddingScriptRunnerGlobalScope has a
- bid
-
Null, or a generated bid, initially null.
- priority
-
Null, failure, or a
double, initially null. - priority signals
-
An ordered map whose keys are strings and whose values are
doubleor null. - interest group
- expected currency
- is component auction
-
A boolean
- group has ad components
-
A boolean
To convert GenerateBidOutput to generated bid given a GenerateBidOutput generateBidOutput, an interest group ig, a currency tag expectedCurrency, a boolean isComponentAuction and a boolean groupHasAdComponents:
-
Let bid be a new generated bid.
-
If generateBidOutput["
bid"] ≤ 0:-
Set bid’s bid to a bid with currency with value generateBidOutput["
bid"] and currency null. -
Return bid.
-
-
If generateBidOutput["
render"] does not exist, return failure. -
If isComponentAuction is true, and generateBidOutput["
allowComponentAuction"] is false, then return failure. -
Let bidCurrency be null.
-
If generateBidOutput["
bidCurrency"] is specified:-
If the result of checking whether a string is a valid currency tag on generateBidOutput["
bidCurrency"] is true, then set bidCurrency to generateBidOutput["bidCurrency"], otherwise return failure.
-
-
If the result of checking a currency tag with expectedCurrency and bidCurrency is false, return failure.
-
Set bid’s bid to a bid with currency with value generateBidOutput["
bid"] and currency bidCurrency. -
If generateBidOutput["
ad"] exists:-
Let adJSON be the result of serializing a JavaScript value to a JSON string, given generateBidOutput["
ad"]. -
If adJSON is failure, return failure.
-
Set bid’s ad to adJSON.
-
-
Let adDescriptor be a new ad descriptor.
-
If generateBidOutput["
render"] is aDOMString:-
Let adUrl be the result of running the URL parser on generateBidOutput["
render"]. -
If adUrl is failure, return failure.
-
Set adDescriptor’s url to adUrl.
-
-
Otherwise:
-
Set adDescriptor to the result of converting an ad render given generateBidOutput["
render"]. -
If adDescriptor is failure, return failure.
-
-
Let bidAd be the result of finding matching ad given adDescriptor, ig, and false.
-
If bidAd is null, return failure.
-
Set bid’s ad descriptor to adDescriptor.
-
Set bid’s bid ad to bidAd.
-
If generateBidOutput["
adComponents"] exists:-
Let adComponents be generateBidOutput["
adComponents"]. -
Return failure if any of the following conditions hold:
-
groupHasAdComponents is false;
-
adComponents’s size is greater than 40.
-
-
Let adComponentDescriptors be a new list of ad descriptors.
-
For component in adComponents:
-
Let componentDescriptor be a new ad descriptor.
-
If component is
DOMString:-
Let componentUrl be the result of running the URL parser on component.
-
If componentUrl is failure, return failure.
-
Set componentDescriptor’s url to componentUrl.
-
-
Otherwise:
-
Set componentDescriptor to the result of converting an ad render given component.
-
If componentDescriptor is failure, return failure.
-
-
If finding matching ad given componentUrl, ig, and true returns null, return failure.
-
Append componentDescriptor to adComponentDescriptors.
-
-
Set bid’s ad component descriptors to adComponentDescriptors.
-
-
If generateBidOutput["
adCost"] exists, then set bid’s ad cost to generateBidOutput["adCost"]. -
If generateBidOutput["
modelingSignals"] exists:-
Let modelingSignals be generateBidOutput["
modelingSignals"]. -
If modelingSignals ≥ 0 and modelingSignals < 4096, then set bid’s modeling signals to the result of converting the ECMAScript value represented by modelingSignals to an
unsigned short.
-
-
Return bid.
-
Let position be a position variable, initially pointing at the start of input.
-
Strip leading and trailing ASCII whitespace from input.
-
If input starts with "
0" but is not "0" and does not start with "0.", then return null as the dimension and the empty string as the dimension unit. -
Collect a sequence of code points that are ASCII digits or U+002E (.), given position. Let that be dimensionString.
-
If dimensionString is the empty string, then return null as the dimension and the empty string as the dimension unit.
-
Let dimension be the result of parsing dimensionString using the rules for parsing floating-point number values.
-
If dimension is an error, then return null as the dimension and the empty string as the dimension unit.
-
Collect a sequence of code points that are ASCII lower alpha, given position. Let that be dimensionUnit.
-
If position is not past the end of input, then return null as the dimension and the empty string as the dimension unit.
-
If dimensionUnit is the empty string, then set dimensionUnit to "px".
-
If dimensionUnit is not "px", "sh", or "sw", then return null as the dimension and the empty string as the dimension unit.
-
Return dimension as the dimension and dimensionUnit as the dimension unit.
AdRender adRender:
-
Let adUrl be the result of running the URL parser on adRender["
url"]. -
If adUrl is failure, return failure.
-
Let adDescriptor be a new ad descriptor.
-
Set adDescriptor’s url to adUrl.
-
-
Let width and widthUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adRender["
width"], respectively. -
If width is null, return failure.
-
Let height and heightUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adRender["
height"], respectively. -
If height is null, return failure.
-
Let adSize be a new ad size.
-
Set adSize’s width to width, width units to widthUnit, height to height, height units to heightUnit.
-
Set adDescriptor’s size to adSize.
-
Return adDescriptor.
-
Let adUrl be adDescriptor’s url.
-
If adUrl’s scheme is not "
https", return null. -
TODO: Need to check size as well.
-
If isComponent, for each ad in ig’s ad components:
-
If ad’s render url equals adUrl, return ad.
-
-
Otherwise, for each ad in ig’s ads:
-
If ad’s render url equals adUrl, return ad.
-
-
Return null.
setBid(generateBidOutput) method steps are:
-
Let global be this's relevant global object.
-
Set global’s bid to null.
-
Let ig be global’s interest group.
-
Let expectedCurrency be global’s expected currency.
-
Let bidToSet be the result of converting GenerateBidOutput to generated bid with generateBidOutput, ig, expectedCurrency, global’s is component auction, and global’s group has ad components.
-
Set global’s bid to bidToSet.
setPriority(priority) method steps are:
setPrioritySignalsOverride(key, priority) method steps are:
-
Set this's relevant global object's priority signals[key] to priority.
8.3.2. InterestGroupScoringScriptRunnerGlobalScope
[Exposed =InterestGroupScoringScriptRunnerGlobalScope ,Global =(InterestGroupScriptRunnerGlobalScope ,InterestGroupScoringScriptRunnerGlobalScope )]interface :InterestGroupScoringScriptRunnerGlobalScope InterestGroupBiddingAndScoringScriptRunnerGlobalScope { };
8.3.3. InterestGroupReportingScriptRunnerGlobalScope
[Exposed =InterestGroupReportingScriptRunnerGlobalScope ,Global =(InterestGroupScriptRunnerGlobalScope ,InterestGroupReportingScriptRunnerGlobalScope )]interface :InterestGroupReportingScriptRunnerGlobalScope InterestGroupScriptRunnerGlobalScope {undefined sendReportTo (DOMString );url undefined registerAdBeacon (record <DOMString ,USVString >);map undefined registerAdMacro (DOMString ,name USVString ); };value
Note: registerAdMacro(name, value) is only
available in report win, but not report result.
Each InterestGroupReportingScriptRunnerGlobalScope has a
- report url
-
Null, failure, or a URL whose scheme is "
https". Initially null. - reporting beacon map
-
Null or an ordered map whose keys are strings and whose values are URLs whose schemes are "
https". Initially null. - reporting macro map
-
Null or an ordered map whose keys are strings and whose values are strings. Initially null.
sendReportTo(url) method steps are:
-
Let global be this's relevant global object.
-
If global’s report url is not null, then set global’s report url to failure, and throw a
TypeError. -
Let parsedUrl be the result of running the URL parser on url.
-
If parsedUrl is failure, or parsedUrl’s scheme is not "
https", set global’s report url to failure, and throw aTypeError. -
Optionally, return.
Note: This implementation-defined condition is intended to allow user agents to decline for a number of reasons, for example the parsedUrl’s site not being enrolled.
-
Set global’s report url to parsedUrl.
registerAdBeacon(map) method steps are:
-
If this's relevant global object's reporting beacon map is not null, then Throw a
TypeError. -
For each type → url of map:
-
If type starts with "
reserved." and type does not match one of the automatic beacon event type values, throw aTypeError. -
Let parsedURL be the result of running URL parser on url.
-
Throw a
TypeErrorif any of the following conditions hold:-
parsedURL is failure;
-
parsedURL’s scheme is not "
https".
-
-
-
Set this's relevant global object's reporting beacon map to map.
registerAdMacro(name, value) method steps are:
-
-
Throw a
TypeErrorif both of the following conditions hold:-
c is not an unreserved percent encoding character;
-
c is not "
%".
-
-
-
For each code unit c in value:
-
Throw a
TypeErrorif both of the following conditions hold:-
c is not an unreserved percent encoding character;
-
c is not "
%".
-
-
-
Set this's relevant global object's reporting macro map[name] to value.
9. Interest Group Updates
This first introductory paragraph is non-normative.
Interest groups have an update url field that allows updating the
interest group definition stored on disk with information periodically retrieved from the update url. The interest group update steps are triggered during runAdAuction() and by calls to updateAdInterestGroups() API:
[SecureContext ]partial interface Navigator {undefined updateAdInterestGroups (); };
The updateAdInterestGroups() method steps are:
-
In parallel, run interest group update with « relevant settings object's top-level origin »
-
For each owner of owners:
-
For each originalInterestGroup of the user agent's interest group set whose owner is owner and next update after is before the current wall time:
Note: Implementations can consider loading only a portion of these interest groups at a time to avoid issuing too many requests at once.
-
Let ig be a deep copy of originalInterestGroup.
-
Let request be a new request with the following properties:
- URL
-
ig’s update url
- header list
-
«
Accept:application/json» - client
-
null - mode
-
"
no-cors" - referrer
-
"
no-referrer" - credentials mode
-
"
omit" - redirect mode
-
"
error"
One of the side-effects of a
nullclient for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode.Stop using "
no-cors" mode where possible (WICG/turtledove#667). -
Let update be null.
-
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
-
If validate fetching response with response, responseBody and "
application/json" returns false, set update to failure and return. -
Set update to responseBody.
-
-
Wait for update to be set.
-
If update is failure, continue.
-
Let parsedUpdate be the result of parsing JSON bytes to an Infra value, given update.
-
If parsedUpdate is failure, continue.
-
If parsedUpdate is not an ordered map, continue.
-
If parsedUpdate["
name"] exists and doesn’t match ig’s name, continue. -
If parsedUpdate["
owner"] exists and doesn’t match ig’s owner, continue. -
For each key → value of parsedUpdate:
-
Switch on key:
- "
priority" -
-
Otherwise, jump to the step labeled Abort update.
- "
enableBiddingSignalsPrioritization" -
-
If value is a
boolean, set ig’s enable bidding signals prioritization to value. -
Otherwise, jump to the step labeled Abort update.
-
- "
priorityVector" -
-
If value is null or an ordered map whose keys are strings and whose values are
double, set ig’s priority vector to value. -
Otherwise, jump to the step labeled Abort update.
-
- "
prioritySignalsOverrides" -
-
If value is an ordered map whose keys are strings and whose values are
doubleor null:-
For each pvKey → pvValue of value:
-
If pvValue is null, remove ig’s priority signals overrides[pvKey].
-
Otherwise, set ig’s priority signals overrides[pvKey] to pvValue.
-
-
-
Otherwise, jump to the step labeled Abort update.
-
- "
sellerCapabilities" -
-
If value is an ordered map whose keys are strings and whose values are lists of strings, for each sellerString → capabilities of value:
-
Let sellerCapabilities be a new set of seller capabilities.
-
For each capabilityString of capabilities:
-
If sellerString is "
*", then set ig’s all sellers capabilities to sellerCapabilities. -
Otherwise:
-
If ig’s seller capabilities is null, then set ig’s seller capabilities to a new ordered map whose keys are origins and whose values are sets of seller capabilities.
-
Let sellerUrl be the result of running the URL parser on sellerString.
-
If sellerUrl is not failure:
-
Let seller be sellerUrl’s origin.
-
If ig’s seller capabilities does not contain seller, then set ig’s seller capabilities[seller] to sellerCapabilities.
-
-
-
-
Otherwise, jump to the step labeled Abort update.
-
- "
executionMode" -
-
If value is "
compatibility", "frozen-context", or "group-by-origin", then set ig’s execution mode to value. -
Otherwise, set ig’s execution mode to "
compatibility".
-
- "
biddingLogicURL"- "
biddingWasmHelperURL"- "
updateURL"- "
trustedBiddingSignalsURL" - "
-
-
For each groupMember and interestGroupField in the following table
Group member Interest group field " biddingLogicURL"bidding url " biddingWasmHelperURL"bidding wasm helper url " updateURL"update url " trustedBiddingSignalsURL"trusted bidding signals url -
Let parsedURL be the result of running the URL parser on value.
-
If key is not groupMember, continue.
-
Jump to the step labeled Abort update if any of the following conditions hold:
-
parsedURL is failure;
-
parsedURL’s origin is not same origin with ig’s owner;
-
parsedURL includes credentials;
-
parsedURL fragment is not null.
-
-
Set ig’s interestGroupField to parsedURL.
-
-
- "
trustedBiddingSignalsKeys" -
-
If value is a list of strings, set ig’s trusted bidding signals keys to value.
-
Otherwise, jump to the step labeled Abort update.
-
- "
trustedBiddingSignalsSlotSizeMode" -
-
If value is one of "none", "slot-size", or "all-slots-requested-sizes", set ig’s trusted bidding signals slot size mode to value.
-
Otherwise, set trusted bidding signals slot size mode to "none".
-
- "
maxTrustedBiddingSignalsURLLength" -
-
If value is a Number:
-
Let convertedValue be the result of converting value to a
long. -
If convertedValue ≥ 0, then set ig’s max trusted bidding signals url length to convertedValue.
-
-
Otherwise, jump to the step labeled Abort update.
-
- "
userBiddingSignals" -
-
Set ig’s user bidding signals to the result of serialize an Infra value to JSON bytes given value.
-
Otherwise, jump to the step labeled Abort update.
Serializing an Infra value to JSON bytes expects to be called within a valid ES realm. See infra/625
-
- "
ads"- "
adComponents" - "
-
-
For each groupMember and interestGroupField in the following table
Group member Interest group field " ads"ads " adComponents"ad components -
If key is not groupMember, continue.
-
If value is not a list of
AuctionAd, jump to the step labeled Abort update. -
Let igAds be a new list of interest group ads.
-
For each ad of value:
-
Let igAd be a new interest group ad.
-
Let renderURL be the result of running the URL parser on ad["
renderURL"]. -
Jump to the step labeled Abort update if any of the following conditions hold:
-
renderURL is failure;
-
renderURL scheme is not "
https"; -
renderURL includes credentials.
-
-
Set igAd’s render url to renderURL.
-
If ad["
metadata"] exists, then let igAd’s metadata be the result of serializing a JavaScript value to a JSON string, given ad["metadata"]. If this throws, jump to the step labeled Abort update. -
If groupMember is "
ads":-
If ad["
buyerReportingId"] exists then set igAd’s buyer reporting ID to it. -
If ad["
buyerAndSellerReportingId"] exists then set igAd’s buyer and seller reporting ID to it.
-
-
Append igAd to igAds.
-
-
If igAds is not is empty:
-
Set ig’s interestGroupField to igAds.
-
-
-
- "
additionalBidKey" -
-
Let decodedKey be the result of running forgiving-base64 decode with value.
-
Jump to the step labeled Abort update if any of the following conditions hold:
-
decodedKey is a failure;
-
decodedKey’s length is not 32;
-
-
Set ig’s additional bid key to decodedKey.
-
- "
-
-
Jump to the step labeled Abort update if any of the following conditions hold:
-
ig’s ads is not null, and ig’s additional bid key is not null;
-
ig’s estimated size is greater than 50 KB.
-
-
Set ig’s next update after to the current wall time plus 24 hours.
-
Replace the interest group that has ig’s owner and name in the user agent's interest group set with ig.
-
Abort update: We jump here if some part of the interest group update failed. Continue to the next interest group update.
-
-
10. Feature Detection
The queryFeatureSupport() method permits checking what functionality is available in the current implementation, in order to help deploy new features. The return values specified in this specification are for an implementation that fully implements it.
[SecureContext ]partial interface Navigator { [SameObject ]readonly attribute ProtectedAudience ; }; [protectedAudience SecureContext ,Exposed =Window ]interface {ProtectedAudience any queryFeatureSupport (DOMString ); };feature
The queryFeatureSupport(feature) method steps are:
-
If feature is "adComponentsLimit", return 40.
-
Return
undefined.
11. Common Algorithms
The following algorithms are some helper algorithms used in this specification.
The estimated size of an interest group ig is the sum of:
-
The length of the serialization of ig’s owner.
-
8, which is the size of ig’s priority.
-
4, which is the size of ig’s execution mode.
Note: Each of execution mode's value represents a
longinteger, so 4 bytes. -
2, which is the size of ig’s enable bidding signals prioritization.
-
If ig’s priority vector is not null, for each key → value of priority vector:
-
The length of key.
-
8, which is the size of value.
-
-
If ig’s priority signals overrides is not null, for each key → value of priority signals overrides:
-
The length of key.
-
8, which is the size of value.
-
-
If ig’s seller capabilities is not null, then for each seller → capabilities of ig’s seller capabilities:
-
The length of the serialization of seller.
-
4, which is capabilities’s underlying number of enum bytes.
-
-
The length of the serialization of ig’s bidding url, if the field is not null.
-
The length of the serialization of ig’s bidding wasm helper url, if the field is not null.
-
The length of the serialization of ig’s update url, if the field is not null.
-
The length of the serialization of ig’s trusted bidding signals url, if the field is not null.
-
4, which is the size of ig’s trusted bidding signals slot size mode.
Note: Each of trusted bidding signals slot size mode's value represents a
longinteger, so 4 bytes. -
For each key of ig’s trusted bidding signals keys:
-
The length of key.
-
-
If ig’s max trusted bidding signals url length is not null:
-
4, which is the size of ig’s max trusted bidding signals url length.
-
-
The length of ig’s user bidding signals.
-
If ig’s ads is not null, for each ad of it:
-
The length of the serialization of ad’s render url.
-
The length of ad’s buyer reporting ID if the field is not null.
-
The length of ad’s buyer and seller reporting ID if the field is not null.
-
If ad’s allowed reporting origins is not null, for each origin of it:
-
The length of the serialization of origin.
-
-
-
If ig’s ad components is not null, for each ad of it:
-
The length of the serialization of ad’s render url.
-
-
If ig’s additional bid key is not null:
-
32, which is its size (number of bytes).
-
-
Let url be the result of running the URL parser on input.
-
If url is failure, or its scheme is not "
https", then return failure. -
Return url’s origin.
-
If url is null, then return
undefined. -
Return the serialization of url.
double value:
-
If value is not a valid floating-point number, return value.
-
Let valueExp be value’s IEEE 754 biased exponent field minus 1023.
-
Let normValue be value multiplied by 2(−1 × valueExp).
-
If valueExp < −128:
-
If value < 0, return −0.
-
Otherwise, return 0.
-
-
If valueExp > 127:
-
If value < 0, return −∞.
-
Otherwise, return ∞.
-
-
Let precisionScaledValue be normValue multiplied by 256.
-
Let noisyScaledValue be precisionScaledValue plus a random
doublevalue greater than or equal to 0 but less than 1. -
Let truncatedScaledValue be the largest integer not greater than noisyScaledValue.
-
Return truncatedScaledValue multiplied by 2(valueExp − 8).
This would ideally be replaced by a more descriptive algorithm in Infra. See infra/201
-
Let uuidStr be an empty string.
-
For each i in the range from 1 to 36, inclusive:
-
Let unit be input’s ith code unit.
-
If « 8, 13, 18, 23 » contains i:
-
If unit is not 0x002D (-), then return an empty string.
-
-
Otherwise:
-
If unit is not an ASCII lower hex digit, then return an empty string.
-
Append unit to the end of uuidStr.
-
-
-
Return ASCII encoded uuidStr.
12. Permissions Policy Integration
This specification defines two policy-controlled features identified by the strings
"join-ad-interest-group", and
"run-ad-auction". Their default allowlists are "*".
Move from "*" to "self"
(WICG/turtledove#522).
To check interest group permissions given an origin ownerOrigin, an origin frameOrigin, and an enum joinOrLeave which is "join" or "leave":
-
If ownerOrigin is same origin with frameOrigin, then return true.
-
Let encodedFrameOrigin be the result of UTF-8 percent-encoding the serialized frameOrigin using component percent-encode set.
-
Let request be a new request with the following properties:
- URL
-
permissionsUrl
- header list
-
«
Accept:application/json» - client
-
null - origin
-
frameOrigin
- mode
-
"
cors" - referrer
-
"
no-referrer" - credentials mode
-
"
omit" - redirect mode
-
"
error"
One of the side-effects of a
nullclient for this subresource request is it neuters all service worker interceptions, despite not having to set the service workers mode. -
Let resource be null.
-
Fetch request with useParallelQueue set to true, and processResponseConsumeBody set to the following steps given a response response and null, failure, or a byte sequence responseBody:
-
If responseBody is null or failure, set resource to failure and return.
-
Let headers be response’s header list.
-
Let mimeType be the result of extracting a MIME type from headers.
-
If mimeType is failure or is not a JSON MIME Type, set resource to failure and return.
-
Set resource to responseBody.
-
-
Wait for resource to be set.
-
If resource is failure, then return false.
-
Let permissions be the result of parsing JSON bytes to an Infra value with resource, returning false on failure.
-
If permissions is not an ordered map, then return false.
-
If joinOrLeave is "
join" and permissions["joinAdInterestGroup"] exists, then return permissions["joinAdInterestGroup"]. -
If joinOrLeave is "
leave" and permissions["leaveAdInterestGroup"] exists, then return permissions["leaveAdInterestGroup"]. -
Return false.
The browser may cache requests for permissionsUrl within a network partition.
In order to prevent leaking data, the browser must request permissionsUrl regardless of whether the user is a member of the ad interest group. This prevents a leak of the user’s ad interest group membership to the server.
13. Fetch Patch for Auction Headers
This section specifies a manner by which some data, including additional bids and direct from seller signals, may be provided to auctions such that the data is only used within their intended auction.
Any Document in a traversable navigable may run a Protected Audience auction (with navigator.runAdAuction()) whose script runners functions receive signal
objects derived from JSON from an `Ad-Auction-Signals` header, or additional bids derived from
an `Ad-Auction-Additional-Bid` header, captured by a fetch() call
(using the adAuctionHeaders option) initiated by any other Document in the same traversable navigable, or from an iframe navigation request (using the adauctionheaders content attribute on the iframe element).
Each traversable navigable has a captured ad auction signals headers, which is a map whose keys are direct from seller signals keys and whose values are direct from seller signals.
NOTE: This is only captured during a request whose initiator type is "fetch", made
with the adAuctionHeaders option set to true, or during an iframe navigation request with the adauctionheaders content attribute set to true, as described in the `Ad-Auction-Signals` header description.
Each traversable navigable has a captured ad auction additional bids headers, which is a map whose keys are auction nonces and whose values are strings.
NOTE: This is only captured during a request whose initiator type is "fetch", made
with the adAuctionHeaders option set to true, or during an iframe navigation request with the adauctionheaders content attribute set to true, as described in the `Ad-Auction-Additional-Bid` header description.
A request has an associated boolean capture-ad-auction-headers. Unless stated otherwise it is false.
RequestInit dictionary to add an adAuctionHeaders attribute:
partial dictionary RequestInit {boolean ; };adAuctionHeaders
new Request (input, init) constructor steps, before
step "Set this's request to request":
-
If init["
adAuctionHeaders"] exists, then set request’s capture-ad-auction-headers to it.
iframe element to add a adauctionheaders content attribute.
The IDL attribute adAuctionHeaders reflects the adauctionheaders content attribute.
partial interface HTMLIFrameElement { [CEReactions ]attribute boolean ; };adAuctionHeaders
-
If navigable’s container is an
iframeelement, and if it has aadauctionheaderscontent attribute, then set request’s capture-ad-auction-headers to true.
-
If request's capture-ad-auction-headers is true, then set a structured field value given «`
Sec-Ad-Auction-Fetch`, the boolean?1» in httpRequest’s header list.
13.1. The `Sec-Ad-Auction-Fetch` HTTP
request header
The `Sec-Ad-Auction-Fetch` request header is an optional structured header with of type boolean. `Sec-Ad-Auction-Fetch` will only
be set on a request whose initiator type is "fetch", made with the adAuctionHeaders option set to true, or on an iframe navigation request with the adauctionheaders content attribute set to true. If `Sec-Ad-Auction-Fetch` is equal to ?1,
the user agent will remove any `Ad-Auction-Signals` or `Ad-Auction-Additional-Bid` from the
returned response -- the `Ad-Auction-Signals` or `Ad-Auction-Additional-Bid` value will
instead only be used in Protected Audiences auctions.
13.2. The `Ad-Auction-Signals` HTTP
response header
The `Ad-Auction-Signals` response header provides value
of a JSON array of dictionaries, each with an adSlot key. Protected Audience non-component,
component, and top-level auctions may specify which signals to load by the adSlot key.
13.3. The `Ad-Auction-Additional-Bid`
HTTP response header.
The `Ad-Auction-Additional-Bid` response header provides value
of a string in the format of <auction nonce>:<base64-encoding of the signed additional bid>, which
corresponds to a single additional bid. The response may include more than one additional bid by specifying multiple instances of the `Ad-Auction-Additional-Bid` response header.
-
Delete "`
Ad-Auction-Signals`" from response’s header list. -
Delete "`
Ad-Auction-Additional-Bid`" from response’s header list.
-
If response is not null, response’s status is not a redirect status, fetchParams’s task destination is a global object that’s a
Windowobject, and request’s capture-ad-auction-headers istrue:-
Let navigable be fetchParams’s task destination's associated Document's node navigable's traversable navigable.
-
Run update captured headers with navigable’s captured ad auction signals headers, navigable’s captured ad auction additional bids headers, response’s header list, and request’s URL's origin.
-
To update captured headers with a captured ad auction signals headers storedSignalsHeaders, captured ad auction additional bids headers storedAdditionalBidsHeaders, header list responseHeaders, and origin requestOrigin:
-
Let adAuctionSignals be the result of getting `
Ad-Auction-Signals` from responseHeaders. -
If adAuctionSignals is not null:
-
Delete "`
Ad-Auction-Signals`" from responseHeaders.NOTE: This step prevents the header value from being used outside the intended auctions —that is, scripts making the
fetch()request aren’t able to load the header value. -
Handle ad auction signals header value given adAuctionSignals, storedSignalsHeaders and requestOrigin.
-
-
Let additionalBids be the result of getting, decoding, and splitting `
Ad-Auction-Additional-Bid` from responseHeaders. -
If additionalBids is not null:
-
Delete "`
Ad-Auction-Additional-Bid`" from responseHeaders.NOTE: This step prevents the header value from being used outside the intended auctions —that is, scripts making the
fetch()request aren’t able to load the header value. -
For each bid of additionalBids:
-
Let nonceAndAdditionalBid be the result of strictly splitting bid on U+003A (:).
-
Let nonce be nonceAndAdditionalBid[0].
-
Set storedAdditionalBidsHeaders[nonce] to nonceAndAdditionalBid[1].
-
-
-
Let parsedSignals be the result of parsing JSON bytes to an Infra value, given adAuctionSignals.
-
If parsedSignals is failure or not a list, return.
-
Let headerAdSlots be a new ordered set.
-
For each signal of parsedSignals:
-
If signal is not an ordered map, continue.
-
If signal["
adSlot"] doesn’t exist, continue. -
If headerAdSlots contains signal["
adSlot"], continue. Optionally, report a warning to the console with a diagnostic error message indicating that a duplicate `Ad-Auction-Signals`adSlotdictionary was ignored. -
Append signal["
adSlot"] to headerAdSlots. -
Let signalsKey be a new direct from seller signals key, with its seller set to requestOrigin and its ad slot set to signal["
adSlot"]. -
Let processedSignals be a new direct from seller signals.
-
Remove signal["
adSlot"]. -
For each key → value of signal:
-
Switch on key:
- "
sellerSignals" -
-
Set processedSignals’s seller signals to the result of serializing an Infra value to a JSON string, given value.
-
- "
auctionSignals" -
-
Set processedSignals’s auction signals to the result of serializing an Infra value to a JSON string, given value.
-
- "
perBuyerSignals" -
-
If value is not an ordered map, continue.
-
For each buyer → buyerSignals of value:
-
Let buyerOrigin be the result of parsing an https origin on buyer.
-
If buyerOrigin is failure, continue.
-
Let buyerSignalsString be the result of serializing an Infra value to a JSON string, given buyerSignals.
-
Set processedSignals’s per buyer signals[buyerOrigin] to buyerSignalsString.
-
-
- "
-
-
Set storedSignalsHeaders[signalsKey] to processedSignals.
-
14. Structures
dictionary {PreviousWin required long long ;timeDelta required DOMString ; };adJSON dictionary {BiddingBrowserSignals required DOMString ;topWindowHostname required USVString ;seller required long ;joinCount required long ;bidCount required long ;recency required long ;adComponentsLimit USVString ;topLevelSeller sequence <PreviousWin >;prevWinsMs object ;wasmHelper unsigned long ;dataVersion boolean =forDebuggingOnlyInCooldownOrLockout false ; };dictionary {ScoringBrowserSignals required DOMString ;topWindowHostname required USVString ;interestGroupOwner required USVString ;renderURL required unsigned long ;biddingDurationMsec required DOMString ;bidCurrency unsigned long ;dataVersion sequence <USVString >;adComponents boolean =forDebuggingOnlyInCooldownOrLockout false ; };
Note: ScoringBrowserSignals's adComponents is undefined when ad component descriptors is null or an empty list. It cannot be
an empty list.
dictionary {ReportingBrowserSignals required DOMString ;topWindowHostname required USVString ;interestGroupOwner required USVString ;renderURL required double ;bid required double ;highestScoringOtherBid DOMString ;bidCurrency DOMString ;highestScoringOtherBidCurrency USVString ;topLevelSeller USVString ;componentSeller USVString ; };buyerAndSellerReportingId
ReportingBrowserSignals includes browser signals both reportResult() and reportWin() get.
topWindowHostname- Top-level origin's host
interestGroupOwner- The winning interest group's owner.
renderURL- The render URL returned by "
generateBid()". It is k-anonymous bid- Stochastically rounded winning bid. This is always in the bidder’s own currency
highestScoringOtherBid- The stochastically rounded value of the bid that got the second highest score, or 0 if it’s not available. 0 for top-level auctions with components
bidCurrency- The currency the
bidis in highestScoringOtherBidCurrency- The currency the
highestScoringOtherBidis in topLevelSeller- Copied from top level seller
componentSeller- Copied from component seller
buyerAndSellerReportingId- Set if the winning ad had a buyer and seller reporting ID set in its listing in the interest group, and that value was jointly k-anonymous combined with interest group owner, bidding script URL, and ad creative URL.
dictionary :ReportResultBrowserSignals ReportingBrowserSignals {required double ;desirability DOMString ;topLevelSellerSignals double ;modifiedBid unsigned long ; };dataVersion
desirability- The stochastically rounded value of the score returned by "
scoreAd()" for the winning bid topLevelSellerSignals- Metadata returned by the top-level seller’s "
reportResult()", as JSON modifiedBid- The stochastically rounded value of the bid value returned by the component
seller’s "
scoreAd()" method dataVersion- Set to the value of the `
Data-Version` header from the trusted scoring signals server, if any.
dictionary :ReportWinBrowserSignals ReportingBrowserSignals {double ;adCost USVString ;seller boolean ;madeHighestScoringOtherBid DOMString ;interestGroupName DOMString ;buyerReportingId unsigned short ;modelingSignals unsigned long ;dataVersion KAnonStatus ; };kAnonStatus enum {KAnonStatus ,"passedAndEnforced" ,"passedNotEnforced" ,"belowThreshold" };"notCalculated"
adCost- Stochastically rounded winner’s ad cost.
seller- The origin of the seller running the ad auction
madeHighestScoringOtherBid- True if the interest group owner was the only bidder that made bids with the second highest score
buyerReportingId- Set if the winning ad had a buyer reporting ID but not a buyer and seller reporting ID set in its listing in the interest group, and that value was jointly k-anonymous combined with interest group owner, bidding script URL, and ad creative URL.
interestGroupName-
Only set if the tuple of interest group owner, name, bidding script URL and ad creative URL
were jointly k-anonymous, and the winning ad had neither buyer and seller reporting ID nor buyer reporting ID set in its listing in the interest group.
modelingSignals- A 0-4095 integer (12-bits) passed to
reportWin(), with noising dataVersion- Only set if the Data-Version header was provided in the response headers from the trusted bidding signals server
kAnonStatus-
Indicate the k-anonymity status of the ad with the following
KAnonStatusenums:-
passedAndEnforced: The ad was k-anonymous and k-anonymity was required to win the auction. -
passedNotEnforced: The ad was k-anonymous though k-anonymity was not required to win the auction. -
belowThreshold: The ad was not k-anonymous but k-anonymity was not required to win the auction. -
notCalculated: The browser did not calculate the k-anonymity status of the ad, and k-anonymity was not required to win the auction.
From a long-term perspective, the status will always be set to
passedAndEnforcedafter k-anonymity is enforced. However, as a temporary solution, current implementations may setkAnonStatusto one of the other three statuses to allow API users to assess the future impact of enforcing that ads are k-anonymous. -
dictionary {DirectFromSellerSignalsForBuyer any =auctionSignals null ;any =perBuyerSignals null ; };
dictionary {DirectFromSellerSignalsForSeller any =auctionSignals null ;any =sellerSignals null ; };
14.1. Interest group
An interest group is a struct with the following items:
- expiry
-
A moment at which the browser will forget about this interest group.
- owner
-
An origin. Frames that join interest groups owned by owner must either be served from owner, or another origin delegated by owner (See checking interest group permissions for details). The scheme must be "
https". - name
-
A string. The (owner, name) tuple is a key that uniquely defines each interest group.
- priority
-
A
double, initially 0.0. Used to select which interest groups participate in an auction when the number of interest groups are limited byperBuyerGroupLimits. See applying interest groups limits to prioritized list. - enable bidding signals prioritization
-
A boolean, initially false. Being true if the interest group’s priority should be calculated using vectors from bidding signals fetch.
- priority vector
-
Null or an ordered map whose keys are strings and whose values are
double. Its dot product with theperBuyerPrioritySignalswill be used in place of priority, if set. - priority signals overrides
-
Null or an ordered map whose keys are strings and whose values are
double. Overrides theAuctionAdConfig's corresponding priority signals. - seller capabilities
-
Null or an ordered map whose keys are origins and whose values are sets of seller capabilities. The seller capabilities this interest group grants to each seller.
- all sellers capabilities
-
Null or a set of seller capabilities. The default seller capabilities granted to sellers not listed in seller capabilities.
- execution mode
-
One of three possible values: "
compatibility", "frozen-context", or "group-by-origin". Initially "compatibility". Each value reprensents alonginteger. TODO: Define spec for these execution modes, link to it from here and explain these modes. - bidding url
-
Null or a URL. The URL to fetch the buyer’s JavaScript from.
When non-null, the bidding url's origin will always be same origin with owner.
- bidding wasm helper url
-
Null or a URL. Lets the bidder provide computationally-expensive subroutines in WebAssembly, in addition to JavaScript, to be driven from the JavaScript function provided by bidding url.
When non-null, the bidding wasm helper url's origin will always be same origin with owner.
- update url
-
Null or a URL. Provides a mechanism for the group’s owner to periodically update the attributes of the interest group. See § 9 Interest Group Updates. Must be null if additional bid key is not null.
When non-null, the update url's origin will always be same origin with owner.
- trusted bidding signals url
-
Null or a URL. Provide a mechanism for making real-time data available for use at bidding time. See building trusted bidding signals url.
When non-null, the trusted bidding signals url's origin will always be same origin with owner.
- trusted bidding signals keys
-
Null or a list of string. See building trusted bidding signals url.
- trusted bidding signals slot size mode
-
"
none", "slot-size" or "all-slots-requested-sizes". Initially "none". Each value reprensents alonginteger. See calculate the ad slot size query param. - max trusted bidding signals url length
-
A
longinteger, initially 0. Indicates the maximum trusted bidding signals fetch url length for the interest group. 0 means no limit. - user bidding signals
-
Null or a string. Additional metadata that the owner can use during on-device bidding.
- ads
-
Null or a list of interest group ad. Contains various ads that the interest group might show. Must be null if additional bid key is not null.
- ad components
-
Null or a list of interest group ad. Contains various ad components (or "products") that can be used to construct ads composed of multiple pieces — a top-level ad template "container" which includes some slots that can be filled in with specific "products".
- additional bid key
-
Null or a byte sequence of length 32. Must be null if ads or update url is not null. The Ed25519 public key (a 256-bit EdDSA public key) used to guarantee that this interest group, if used by an additional bid for a negative targeting, can only be used by its owner.
- joining origin
-
An origin. The top level page origin from where the interest group was joined.
- join counts
-
A list containing tuples of the day and per day join count. The day is calculated based on UTC time. The join count is a count of the number of times
joinAdInterestGroup()was called for this interest group on the corresponding day. - join time
-
A moment at which the browser joined this interest group, updated upon each join and re-join.
- bid counts
-
A list containing tuples of the day and per day bid count. The day is calculated based on UTC time. The bid count is a count of the number of times the bid calculated during
runAdAuction()was greater than 0. - previous wins
-
A list of previous wins.
- next update after
-
A moment at which the browser will permit updating this interest group. See interest group updates.
A regular interest group is an interest group whose additional bid key is null.
A negative interest group is an interest group whose additional bid key is not null.
An interest group ad is a struct with the following items:
- render url
-
A URL. If this ad wins the auction, this URL (or a urn uuid that maps to this URL) will be returned by
runAdAuction(). This URL is intended to be loaded into an adiframe(or afencedframe). - metadata
-
Null or a string. Extra arbitary information about this ad, passed to
generateBid(). - buyer reporting ID
-
Null or a string. Will be passed in place of interest group name to report win, subject to k-anonymity checks. Only meaningful in ads, but ignored in ad components.
- buyer and seller reporting ID
-
Null or a string. Will be passed in place of interest group name or buyer reporting ID to report win and report result, subject to k-anonymity checks. Only meaningful in ads, but ignored in ad components.
- allowed reporting origins
-
Null or a list of origins. A list of up to 10 reporting origins that can receive reports with registered macros. Each origin’s scheme must be "
https" and each origin must be enrolled. Only meaningful in ads, but ignored in ad components.
A previous win is the interest group's auction win history, to allow on-device frequency capping. It’s a struct with the following items:
- time
-
A moment. Approximate time the interest group won an auction.
- ad json
-
A string. A JSON serialized object corresponding to the ad that won the auction.
A seller capability is a permission granted by an interest group to sellers. It’s
"interest-group-counts" or "latency-stats". Each value represents a single bit in a 4-byte byte sequence. The 4-byte byte sequence can store no more than 32 capabilities.
Note: More than 2 values, but probably not more than 32 values are planned, at least for a while. This way, there is not need to reserve more space for a while.
14.2. Currency tag
A currency tag is a string containing exactly 3 upper-case ASCII letters, or null. The null value is used to denote that the currency is unspecified.-
If currency is null, return "???".
-
Return currency.
-
If length of currencyString is not 3, return false.
-
If currencyString[0] is not a ASCII upper alpha code point, return false.
-
If currencyString[1] is not a ASCII upper alpha code point, return false.
-
If currencyString[2] is not a ASCII upper alpha code point, return false.
-
Return true.
-
If expected is null, return true.
-
If actual is null, return true.
-
If actual is equal to expected, return true.
-
Return false.
14.3. Auction config
An auction config is a struct with the following items:
- seller
-
An origin. The origin of the seller running the ad auction. The scheme must be "
https". - decision logic url
-
A URL. The URL to fetch the seller’s JavaScript from.
The decision logic url's origin will always be same origin with seller.
- trusted scoring signals url
-
Null or a URL. Provide a mechanism for making real-time data (information about a specific ad creative) available for use at scoring time, e.g. the results of some ad scanning system.
When non-null, the trusted scoring signals url's origin will always be same origin with seller.
- max trusted scoring signals url length
-
A
longinteger, initially 0. Indicates the maximum trusted scoring signals fetch url length for the auction config. 0 means no limit. - interest group buyers
-
Null or a list of origins. Owners of interest groups allowed to participate in the auction. Each origin’s scheme must be "
https". - auction signals
-
Null, a string, a
Promise, or failure. Opaque JSON data passed to both sellers' and buyers' script runners. - requested size
-
Null or an ad size, initially null. The size of the frame for the ad being selected by the auction.
- all slots requested sizes
-
Null or a non-empty ordered set of ad sizes, initially null. The sizes of all frames for ads being selected by any auction in the frame.
- seller signals
-
Null, a string, a
Promise, or failure. Opaque JSON data passed to the seller’s script runner. - seller timeout
-
A duration in milliseconds, initially 50 milliseconds. Restricts the runtime of the seller’s
scoreAd()script. If scoring does not complete before the timeout, the bid being scored is not considered further. - per buyer signals
-
Null, a
Promise, failure, or an ordered map whose keys are origins and whose values are strings. Keys are buyers whose schemes must be "https". Values are opaque JSON data passed to corresponding buyer’s script runner. - per buyer timeouts
-
Null, a
Promise, failure, or an ordered map whose keys are origins and whose values are durations in milliseconds. Keys are buyers whose schemes must be "https". Values restrict the runtime of corresponding buyer’sgenerateBid()script. If the timeout expires, only the bid submitted viasetBid()is considered. - all buyers timeout
-
A duration in milliseconds, initially 50 milliseconds. Restricts the
generateBid()script’s runtime for all buyers without a timeout specified in per buyer timeouts. If the timeout expires, only the bid submitted viasetBid()is considered. - per buyer cumulative timeouts
-
Null, a
Promise, failure, or an ordered map whose keys are origins and whose values are durations in milliseconds. Keys are buyers whose schemes must be "https". Values are collective timeouts for all interest groups of the buyer represented by the key. Includes the time of loading scripts and signals, and running thegenerateBid()functions. Once the timer expires, the affected buyer’s interest groups may no longer generate any bids. All bids generated before the timeout will continue to participate in the auction. Implementations should attempt, on a best-effort basis, to generate bids for each buyer in priority order, so lower priority interest groups are the ones more likely to be timed out. IfPromises are passed in to the auction config for fields that support them, wait until configuration input promises resolve before starting the timer. - all buyers cumulative timeout
-
Null or a duration in milliseconds, initially null. Restricts a buyer’s cumulative timeout for all buyers without one specified in per buyer cumulative timeouts.
- per buyer group limits
-
Null or an ordered map whose keys are origins and whose values are
unsigned shorts. Keys are buyers whose schemes must be "https". Values restrict the number of bidding interest groups for a particular buyer that can participate in an auction. - all buyers group limit
-
An
unsigned short, initially 65535. Limit on the number of bidding interest groups for all buyers without a limit specified in per buyer group limits. - per buyer priority signals
-
Null or an ordered map whose keys are origins and whose values are ordered maps, whose keys are strings and whose values are
double. Per-buyer sparse vector whose dot product with priority vector is used to calculate interest group priorities. No signal’s key starts with "browserSignals.", which is reserved for values coming from the browser. - all buyers priority signals
-
Null or an ordered map whose keys are strings and whose values are
double. Merged with per buyer priority signals before calculating per-interest group priorities. In the case both have entries with the same key, the entry inper_buyer_priority_signalstakes precedence. No signals key start with "browserSignals.", which is reserved for values coming from the browser. - required seller capabilities
-
A set of seller capabilities. The seller capabilities that each interest group must declare to participate in the auction. Interest groups that don’t declare all these capabilities will not participate in the auction.
- component auctions
-
A list of auction configs. Nested auctions whose results will also participate in a top level auction. Only the top level auction config can have component auctions.
- deprecated render url replacements
-
Null, a
Promise, failure, or a list of ad keyword replacements, each containing a single match and replacement. Render url replacements can only happen within a single seller auction config or within the component auction configs. - seller experiment group id
-
Null or an
unsigned short, initially null. Optional identifier for an experiment group to support coordinated experiments with the seller’s trusted server. - per buyer experiment group ids
-
An ordered map whose keys are origins and whose values are
unsigned shorts. Keys are buyers whose schemes must be "https". Values are identifiers for experiment groups, to support coordinated experiments with buyers' trusted servers. - all buyer experiment group id
-
Null or an
unsigned short, initially null. Optional identifier for an experiment group to support coordinated experiments with buyers' trusted servers for buyers without a specified experiment group. - pending promise count
-
An integer, initially 0. The number of things that are pending that are needed to score everything. It includes waiting for
Promises auction signals, per buyer signals, per buyer currencies, per buyer timeouts, direct from seller signals header ad slot, seller signals, oradditionalBidswhosePromises are not yet resolved. - config idl
- resolve to config
-
A boolean or a
Promise, initially false. Whether the ad should be returned as aFencedFrameConfig, or otherwise as a urn uuid. - seller currency
-
A currency tag. Specifies the currency bids returned by
scoreAd()are expected to use, and which reporting for this auction will agree on. - per buyer currencies
-
A
Promiseor failure or an ordered map whose keys are origins and whose values are currency tags. Specifies the currency bids returned bygenerateBid()orscoreAd()in component auctions are expected to use. The initial value is an empty map. - all buyers currency
-
A currency tag. Specifies the currency bids returned by
generateBid()orscoreAd()in component auctions are expected to use if per buyer currencies does not specify a particular value. - direct from seller signals header ad slot
- auction nonce
-
Null or a version 4 UUID, initially null. A unique identifier associated with this and only this invocation of
navigator.runAdAuction(). For multi-seller auctions, this ID is uniquely associated with allcomponentAuctions. This must come from a prior call tonavigator.createAuctionNonce(). This is only required for auctions that provide additional bids, and each of those additional bids must use the same auction nonce to ensure that each of them was intended for this and only this auction. - expects additional bids
-
A boolean or failure, initially false. Specifies whether some bids will be provided as signed exchanges. Sets to failure if the
additionalBidsPromiseis rejected.
-
Wait until auctionConfig’s pending promise count is 0.
-
Assert auctionConfig’s auction signals, seller signals, per buyer signals, per buyer currencies, per buyer timeouts, per buyer cumulative timeouts, deprecated render url replacements, and direct from seller signals header ad slot are not
Promises, and expects additional bids is false. -
If auctionConfig’s auction signals, seller signals, per buyer signals, per buyer currencies, per buyer timeouts, per buyer cumulative timeouts, deprecated render url replacements, or direct from seller signals header ad slot is failure, return failure.
-
Return.
-
For each componentAuctionConfig in auctionConfig’s component auctions:
-
If the result of waiting until configuration input promises resolve given componentAuctionConfig is failure, return failure.
-
-
Return the result of waiting until configuration input promises resolve given auctionConfig.
Promise p, and two sequences of steps, covering the parsing of the value and error-handling:
-
Increment auctionConfig’s pending promise count.
-
Let resolvedAndTypeChecked be the promise representing performing the following steps upon fulfillment of p with result:
-
Execute the steps to be run for parsing of the value given result.
-
If no exception was thrown in the previous step, then decrement auctionConfig’s pending promise count.
-
-
Upon rejection of resolvedAndTypeChecked:
-
Execute the steps for error-handling.
-
Decrement auctionConfig’s pending promise count.
-
-
Let perBuyerCurrency be auctionConfig’s all buyers currency
-
Assert that auctionConfig’s per buyer currencies is an ordered map.
-
If auctionConfig’s per buyer currencies[buyer] exists, then set perBuyerCurrency to auctionConfig’s per buyer currencies[buyer].
-
Return perBuyerCurrency
14.4. Bid generator
A per buyer bid generator is an ordered map whose keys are URLs representing trusted bidding signals urls, and whose values are per signals url bid generators.
A per signals url bid generator is an ordered map whose keys are origins representing joining origins, and whose values are lists of interest groups.
14.5. Generated bid
A generated bid is a bid that needs to be scored by the seller. The bid is either the
result of evaluating a bidding script, or an additional bid provided by the `Ad-Auction-Additional-Bid` response headers. It’s a struct with the following items:
- id
-
An
unsigned long. Used to identify a generated bid. - for k-anon auction
-
A boolean, initially true. If this is false, the bid is only used to determine the hypothetical winner with no k-anonymity constraints, which would be used to update k-anonymity counts only.
- bid
-
A bid with currency. If the value is zero or negative, then this interest group will not participate in the auction.
- bid in seller currency
-
A
doubleor null. An equivalent of the original bid in seller’s currency. This is either the original bid if the currency already matched, or a conversion provided byscoreAd(). - ad
-
A string. JSON string to be passed to the scoring function.
TODO: Check whether ad descriptor can be moved to bid ad to avoid duplication (WICG/turtledove#868).
- ad descriptor
-
An ad descriptor. Render URL and size of the bid’s ad.
- ad component descriptors
-
Null or a list of ad descriptors. Ad components associated with bid, if any. May have at most 40 items. Must be null if the interest group making this bid has a null ad components field.
- ad cost
-
Null or a
double. Advertiser click or conversion cost passed fromgenerateBid()toreportWin(). Negative values will be ignored and not passed. Will be stochastically rounded when passed. - modeling signals
-
Null or an
unsigned short. A 0-4095 integer (12-bits) passed toreportWin(), with noising. - interest group
-
An interest group, whose
generateBid()invocation generated this bid, or specified by the additional bid. - bid ad
-
The interest group ad within interest group to display.
- modified bid
-
Null or a bid with currency. Being null for top level auction. The bid value a component auction’s
scoreAd()script returns. - bid duration
-
A duration in milliseconds. How long it took to run
generateBid(). - provided as additional bid
-
A boolean, initially false.
- component seller
-
Null or an origin. Seller in component auction which the interest group is participating. Only set for component auctions, null otherwise.
A bid debug reporting info is a struct with the following items:
- id
-
An
unsigned long-or-null. Matches a id of the generated bid corresponding to this reporting information, or null if no bid was produced, in which case the debug loss URLs are still relevant. - component seller
-
Null or an origin. Seller in component auction which was running to produce this reporting information. Only set for component auctions, null otherwise.
- interest group owner
-
An origin. Matches owner of the interest group that was used to call
generateBid()to produce this reporting information. - bidder debug win report url
-
Null or a URL, initially null. Set by
generateBid()’sforDebuggingOnly'sreportAdAuctionWin(url). - bidder debug loss report url
-
Null or a URL, initially null. Set by
generateBid()’sforDebuggingOnly'sreportAdAuctionLoss(url). - seller debug win report url
-
Null or a URL, initially null. In the case of a component auction, these are the values from component seller that the scored ad was created in. Set by
scoreAd()’sforDebuggingOnly'sreportAdAuctionWin(url). - seller debug loss report url
-
Null or a URL, initially null. In the case of a component auction, these are the values from component seller that the scored ad was created in. Set by
scoreAd()’sforDebuggingOnly'sreportAdAuctionLoss(url). - top level seller debug win report url
-
Null or a URL, initially null. Set in the case this bid was made in a component auction, won it, and was then scored by the top-level seller. Set by top-level seller’s
scoreAd()’sforDebuggingOnly'sreportAdAuctionWin(url). - top level seller debug loss report url
-
Null or a URL, initially null. Set in the case this bid was made in a component auction, won it, and was then scored by the top-level seller. Set by top-level seller’s
scoreAd()’sforDebuggingOnly'sreportAdAuctionLoss(url).
A bid with currency is a struct with the following items:
- value
-
A
double. The value of the bid. - currency
-
A currency tag. The currency the bid is in.
An ad descriptor is a struct with the following items:
- url
-
A URL, which will be rendered to display the ad creative if this bid wins the auction.
- size
-
Null or an ad size, initially null.
An ad size is a struct with the following items:
- width
-
A
double. - width units
-
A string. Can only be one of "px" (pixel), "sh" (screen height), and "sw" (screen width).
- height
-
A
double. - height units
-
A string. Can only be one of "px" (pixel), "sh" (screen height), and "sw" (screen width).
-
If either adSlotSize["height"] or adSlotSize["width"] does not exist, return null.
-
Let width and widthUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adSlotSize["width"], respectively.
-
If width is null, return null.
-
Let height and heightUnit be the dimension and dimension unit that results from running parse an AdRender dimension value with adSlotSize["height"], respectively.
-
If height is null, return null.
-
Let adSize be a new ad size.
-
Set adSize’s width to width, width units to widthUnit, height to height, height units to heightUnit.
-
Return adSize.
An ad keyword replacement is a struct with the following items:
- match
-
A string, represents the match within a
renderURL, that is going to be replaced by replacement. Must be in the format${...}or%%...%%. - replacement
14.6. Direct from seller signals
A direct from seller signals key is a struct with the following items:
- seller
-
An origin. Matches the origin that served the captured `
Ad-Auction-Signals` header. - ad slot
-
A string. Matches the
adSlotkey of the JSON dictionaries in the top-level array of the `Ad-Auction-Signals` value.
A direct from seller signals is a struct with the following items:
- auction signals
-
Null or a string. Opaque JSON data passed to both buyers' and the seller’s script runners.
- seller signals
-
Null or a string. Opaque JSON data passed to the seller’s script runner.
- per buyer signals
-
A map whose keys are origins and whose values are strings. Keys are buyers whose scheme must be "
https". Values are opaque JSON data passed to corresponding buyer’s script runner.
14.7. Score ad output
The output of running a Protected Audience scoreAd() script, is represented using the following type:
dictionary {ScoreAdOutput required double ;desirability double ;bid DOMString ;bidCurrency double ;incomingBidInSellerCurrency boolean =allowComponentAuction false ; };
Either a dictionary of this type, or a double, are handled as the return values.
The meanings of the fields are as follows:
desirability- Numeric score of the bid. Must be positive or the ad will be rejected. The winner of the auction is the bid which was given the highest score.
bid- Only relevant if this is a component auction. If present, this will be passed to the top-level
seller’s
scoreAd()andreportResult()methods instead of the original bid, if the ad wins the component auction and top-level auction, respectively. bidCurrency- Only relevant if this is a component auction and
bidis set. Specifies which currency thebidfield is in. incomingBidInSellerCurrency- Provides a conversion of the incoming bid to auction’s seller currency. This is different from
bidwhich is the bid the component auction itself produces. allowComponentAuction- If the bid being scored is from a component auction and this value is not true, the bid is ignored. This field must be present and true both when the component seller scores a bid, and when that bid is being scored by the top-level auction.
TODO: This also has an ad field, which should behave similar to the way bid affects modified bid, and then affecting the adMetadata parameter to scoreAd.
-
If result is an an abrupt completion, return failure.
-
If result.[[Value]] is a Number:
-
Let checkedScore be the result of converting result.[[Value]] to a
double. -
If an exception was thrown in the previous step, return failure.
-
Let resultIDL be a new
ScoreAdOutput. -
Set resultIDL’s
desirabilityto checkedScore. -
Return resultIDL.
-
-
Let resultIDL be the result of converting result.[[Value]] to a
ScoreAdOutput. -
If an exception was thrown in the previous step, return failure.
-
If resultIDL["
bidCurrency"] exists and result of checking whether a string is a valid currency tag applied to resultIDL["bidCurrency"] is false, then return failure. -
Return resultIDL.
14.8. Leading bid info
A leading bid info is the information of the auction’s leading bid so far when ranking scored bids. It’s a struct with the following items:
- top score
-
A
double, initially 0.0. The highest score so far. - top non-k-anon-enforced score
-
A
double, initially 0.0. The highest score so far when disregarding k-anonymity. - top bids count
-
An integer, initially 0. The number of bids with the same
top score. - top non-k-anon-enforced bids count
-
Number of bids that are tied for leadership when disregarding k-anonymity thus far.
- at most one top bid owner
-
A boolean, initially true. Whether all bids of
top scoreare from the same interest group owner. - leading bid
-
Null or a generated bid, initially null. The leading bid of the auction so far.
- leading non-k-anon-enforced bid
-
Null or a generated bid, initially null. The leading bid of the auction disregarding k-anonymity so far.
- auction config
-
An auction config. The auction config of the auction which generated this leading bid.
- second highest score
-
A
double, initially 0.0. The second highest score so far. If more than one bids tie withtop score, this will be set totop score. - highest scoring other bids count
-
An integer, initially 0. The number of bids with the same
second highest score. - highest scoring other bid
-
Null or a generated bid. The second highest scoring other bid.
- highest scoring other bid owner
-
Null or an origin, initially null. The interest group owner that made bids with the
second highest score. Set to null if there are more than one owners made bids with thesecond highest score. - top level seller
-
Null or an origin. The seller in the top level auction. Only set for component auctions, null otherwise.
- top level seller signals
-
Null or a string. Signals from the seller in the top level auction, produced as the output of the top-level seller’s
reportResult()method. Only set for component auctions, null otherwise. - component seller
-
Null or an origin. Seller in component auction which generated this leading bid. Only set for the top level auction when component auctions are present, null otherwise.
- bidding data version
-
Null or an
unsigned long. Data-Version value from the trusted bidding signals server’s response(s). Will only be not null if the `Data-Version` header was provided and had a consistent value for all of the trusted bidding signals server responses used to construct the trustedBiddingSignals. - scoring data version
-
Null or an
unsigned long. Data-Version value from the trusted scoring signals server’s response. Will only be not null if the `Data-Version` header was provided in the response headers from the trusted scoring signals server. - buyer reporting result
-
Null or a reporting result, initially null.
- seller reporting result
-
Null or a reporting result, initially null.
- component seller reporting result
-
Null or a reporting result, initially null.
A reporting result is a struct with the following items:
- report url
-
Null or a URL, initially null. Set by
sendReportTo(url). - reporting beacon map
-
Null or an ordered map whose keys are strings and whose values are URLs, initially null. Set by
registerAdBeacon(map). - reporting macro map
-
Null or an ordered map whose keys are strings and whose values are strings, initially null. Set by
registerAdMacro(name, value).
An auction report info is a struct with the following items:
- debug win report urls
-
A list of URLs whose schemes must be "
https". The winning bid’s generated bid's debug win report URLs. - debug loss report urls
-
A list of strings whose schemes must be "
https". Losing bid’s generated bid's debug loss report URLs.TODO: Change the two lists to a single URL since no more than one debug reports can be sent after downsampling debug reports. While the browser is experimenting with third party cookie deprecation (before they have been fully removed), the
forDebuggingOnlyreporting APIs are not downsampled, so they are still lists.
15. Privacy Considerations
Protected Audience aims to advance the privacy of remarketing and custom audience advertising on the web, so naturally privacy considerations are paramount to Protected Audience’s design. Partitioning data by site is the central mechanism to prevent joining a user’s identity across sites:
-
Interest group definitions come from just one site, the site that called
joinAdInterestGroup(). -
Bidding (
generateBid()) and scoring (scoreAd()) scripts are exposed to interest group data from the joining site, and data from the site that will display the ad, but these scripts are run in strict isolation to prevent leaking this cross-site information. -
The browser can enforce that trusted bidding and scoring signals are fetched from servers complying with certain privacy requirements, e.g. not performing event-level logging.
-
Ads are rendered in
fencedframes that isolate them from the surrounding page to prevent cross-site leakage. -
Reporting is strictly controlled by the browser to prevent cross-site leaks: Inputs to event-level reporting functions,
reportWin()andreportResult(), only contain limited cross-site information, e.g. the k-anonymous ad URL. Event-level reporting is meant to be a temporary stepping stone to more private mechanisms like Private Aggregation API.
16. Security Considerations
Protected Audience involves the browser running untrusted JavaScript downloaded from multiple parties, so security concerns are top of mind. Fortunately Protected Audience is a highly constrained API not attempting to be a general purpose execution environment. Execution of this JavaScript is controlled and limited as follows:
-
Protected Audience requires the origin of the scripts’ URLs to match that of the origin of the interest group owner, which is in turn required to match the origin of the context calling the
joinAdInterestGroup(). -
URL schemes are required to be HTTPS.
-
Redirects are disallowed.
-
Responses are required to contain the
Ad-Auction-Allowed: ?1header. -
Fetches are uncredentialed.
Protected Audience has the browser pass in several “browserSignals” to the bidding script that give the script unforgeable information about the context that the script is being executed in. This way bidders and sellers have the choice to only participate in auctions where they are comfortable working with the involved parties.
The execution environment available to these scripts is the absolute minimum necessary to calculate a bid. It supports only ECMAScript. It does not support network, storage, timer, date, DOM, Workers, postMessage, Navigator or Window APIs.
Protected Audience adds Permission-Policies to control access to the Protected Audience APIs to give sites and embedders the ability to clamp down on use of the APIs as they see fit.
Auction config and interest group data are processed as JSON and not via the structured clone
algorithm, in part because interest groups are updated via JSON server responses. However, there
is also a security reason to not use the structured clone algorithm, which is that the data may
be shared with other parties -- in particular, the auction config perBuyerSignals are sent from the seller to each buyer. Supporting structured
cloning here would mean that buyer scripts would have to be prepared to handle arbitrary, complex,
and potentially cyclic objects from the seller.